Wireshark-bugs: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
Date: Wed, 06 Jul 2016 11:53:26 +0000

Comment # 1 on bug 12586 from
(In reply to Raffaele Rialdi from comment #0)
> 
> * Important note:
> Some of the CAP packet headers are generated with an "incl_len" greater than
> "orig_len". The tool who generated the file use the extra space to store
> information that are not part of the network traffic (and that will NOT be
> shown by wireshark).
> According to the CAP specification this should not cause problems at all.

>From https://wiki.wireshark.org/Development/LibpcapFileFormat

incl_len: the number of bytes of packet data actually captured and saved in the
file. This value should never become larger than orig_len or the snaplen value
of the global header. 

>From http://www.tcpdump.org/manpages/pcap-savefile.5.html

Following that are a 4-byte value giving the number of bytes of captured data
that follow the per-packet header and a 4-byte value giving the number of bytes
that would have been present had the packet not been truncated by the snapshot
length

So even though the manpage doesn't strictly forbid it, the semantics indicate
that this is incorrect use of the format. It's simply not that flexible (it's
rigid), hence the desire for pcapng.


You are receiving this mail because:
  • You are watching all bug changes.