Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-22 Thread Guy Harris
On Jul 22, 2019, at 8:27 AM, Holger Pfrommer wrote: > thanks for your clarification. So I assume pcapng would be a good > future-proof choice. ...as would adding a new link-layer header type, which would be supported in both pcap and pcapng. > Which leads to the next question. When I put a ve

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-22 Thread Holger Pfrommer
Betreff: Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured” Hi, so if I get this right you expect to end up with a frame where length of the original content is less than what ends up in the pcap because meta data is added? This usually happens by adding a trailer to the Ethernet frame, e.g

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-21 Thread Stephen Donnelly
gertz Sent: Saturday, 20 July 2019 4:30 AM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured” Hi, so if I get this right you expect to end up with a frame where length of the original content is less than what ends up in the pcap because me

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-19 Thread Guy Harris
On Jul 19, 2019, at 9:30 AM, Jasper Bongertz wrote: > so if I get this right you expect to end up with a frame where length of the > original > content is less than what ends up in the pcap because meta data is added? This > usually happens by adding a trailer to the Ethernet frame, Not necessa

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-19 Thread Guy Harris
On Jul 19, 2019, at 5:52 AM, Holger Pfrommer wrote: > Now my question: I would be very useful to use pcap’s caplen and len values > to report original packet length while a capture device adds additional data > to a frame, for example a header containing some more details about the frame > its

Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-19 Thread Jasper Bongertz
Hi, so if I get this right you expect to end up with a frame where length of the original content is less than what ends up in the pcap because meta data is added? This usually happens by adding a trailer to the Ethernet frame, e.g. some TAPs do that to add high precision timestamps and other inf

[Wireshark-dev] “bytes on wire” vs. “bytes captured”

2019-07-19 Thread Holger Pfrommer
Hi, I was wondering about a fact regarding the reported frame lengths in Wireshark. The frame dissector states “bytes on wire” and “bytes captured” values. I understand that these values where initially generated by the values caplen and len in the pcap packet header as follows: struct pcap_pkth