This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet size limited during capture: xxxxxx truncated

0

Hello all,

I am opening a pcap file and see the following message with some packets marked as:

[Packet size limited during capture: xxxxxx truncated]

I searched the web but there isn't much information on it and hoping I could get the reason for the error.

Thanks.

asked 10 Mar '16, 15:04

MYSLTN's gravatar image

MYSLTN
0112
accept rate: 0%

One Answer:

0

The capture mechanisms used by Wireshark, e.g. libpcap or WinPcap allow the length of capture packets to be limited, usually for performance reasons, as often all that's needed is the IP\TCP\UDP headers and not the payload.

When packets are limited this way, with the snaplen option, then Wireshark displays the information you've noticed. To capture the full packet, ensure snaplen is set to the default, usually 65535 in the capture options dialog for the interface the capture is made on.

answered 10 Mar '16, 15:16

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

And tcpdump and other programs also use libpcap/WinPcap, and offer the same sort of length limitation (the -s flag to tcpdump - and TShark and Wireshark and dumpcap).

The capture mechanism used by some other network analyzers also offers that capability.

So the pcap file in question was probably captured with such a "snapshot length", i.e. maximum amount of packet data that will be captured and saved, configured. If you look at the "Frame" part of the dissection of one of those "Packet size limited during capture" packets, the "bytes captured" value will probably be the configured snapshot length.

(10 Mar '16, 17:01) Guy Harris ♦♦

Thank you Grahamb & Guy for the quick response. I will check the snapshot length for the analyzer tool.

Kind Regards.

(11 Mar '16, 05:45) MYSLTN