This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture length is always 94 byte

0

Hi, I was looking at the TCPdump from one of the system, I am seeing the capture length is always 94 byte even if Frame length is more than that. What does it mean?

I see lot of retransmissions is it because of this?

Frame Length: 1392 bytes (11136 bits) Capture Length: 94 bytes (752 bits)

Frame Length: 142 bytes (1136 bits) Capture Length: 94 bytes (752 bits)

asked 26 May '15, 13:08

Sudarshan's gravatar image

Sudarshan
6112
accept rate: 0%

One Answer:

0

I am seeing the capture length is always 94 byte even if Frame length is more than that. What does it mean?

It means that the system which created the capture file, limited the frame size to 94 bytes, for whatever reason (option -s for tcpdump, dumpcap and tshark, "Limit each packet to" in the Wireshark GUI: Capture -> Options. Double-click an interface), or that somebody has used a pcap anonymizer tool which truncated the frames in the capture file.

I see lot of retransmissions is it because of this?

No.

Regards
Kurt

answered 26 May '15, 13:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%