[WinPcap-users] packet lengths off by 4 bytes?

[Jeff Curley]

I am some what new to PCap, but I am familiar with network code and packet 
sniffers, so I downloaded the Windows API (which By the way is incredible) 
and wrote a UDP packet sniffer program in MFC in about 2 days to play 
around and analyze some proprietary protocols, and I noticed something 
strange. The packet lengths set in my:

pcap_pkthdr

by

pcap_next_ex

always differ from what EtherPeek (another Packet sniffer program) 
captures, by 4 bytes. To test it just to make sure I hadn't screwed up 
something with my implementaion, I ran Ethereal and EtherPeek at the same 
time and sure enough they come across as different. After looking at the 
data, it appears that the EtherPeek packet all had an appended 4 bytes of 
NULL added to them. So the question is, is PCap stripping these off, or is 
EtherPeek adding them on?

Thanks for your time and I apologize if this question has been asked 
previously, I scoured the previous 4 pages of mailing list subjects and 
didn't see anything that looked like it addresses this.

--jeff





==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use 
mailto: [EMAIL PROTECTED]
==================================================================