I am writing a Delphi (Pascal) app that will do some custom parsing of a .pcap file. The .pcap file is written by Wireshare/winpcap. I found C++ sample code for parsing the .pcap file, and I converted the C++ structs to Delphi records. And I've got my app mostly done. But, one thing that I'm just not getting...
The headers for the Ethernet header, IP header and TCP header comes out to 54 bytes, assuming of course the packet in question is an Ethernet TCP/IP packet. Which is all I am working with. So, if the pcap record header incl_len is, for example, 60, then, the TCP payload would be 6 bytes, no?
Well, no, or at least it seems not necessarily. In Wireshark, you can display columns of "length" and "info". And within the "info" column, it tells you things like the sequence number, the ack number, etc. And it tells you the "len". But, I'm seeing some rows with a "length" of 60 with a "len" of 6, as I would expect. But other rows of "length" of 60 may have len = 1 or 2 or 3, etc.
Moreover, it seems that the "len" value, wherever it comes from, is the correct value for the usable data in the packet. If the len seems like it should be, say, 6 (in my example of length of 60) then if len is less than 6, then the additional bytes are just garbage or superfluous. Or maybe they have some meaning that is beyond my understanding.
So, here is my question: where the heck is Wireshark getting "len" from? As far as the "length", that does seem to be the incl_len. But, for the "len", I can't find it from any of the values in the headers. As I said, I would think it would be length-54 (assuming Ethernet TCP/IP) and it often is. But it often isn't and I haven't a clue where len is coming from but I need it.
asked 19 Nov '12, 05:45
Cool, someone else besides me using Delphi to parse trace files...
If a packet has 54 bytes (14 Ethernet header, 20 IP header, 20 TCP header) and no TCP payload it would be too short to be a valid ethernet frame, which needs to be 60 bytes plus FCS = 64 Bytes. To achieve the minimum length, the frame is padded on the ethernet layer by 6 bytes. You can deduct the TCP payload length from taking the IP total length minus the IP and TCP header length.
By the way, you only see packets with a length of 54 bytes if you're capturing on the system that is sending them, because Wireshark/Dumppcap will "pick them up" before the network card has done the padding. You can verify this by capturing on the other machine - it will show you the packets including padding. Oh, and Wireshark does not keep the FCS, which is why you'll see 60 bytes instead of 64.
answered 19 Nov '12, 05:52
edited 19 Nov '12, 05:58