Hello guys, I am a beginner. There is a question as below: What's the difference between the Thanks for you answers! Sam asked 26 Sep '11, 08:25 Sam edited 26 Sep '11, 21:42 helloworld |
2 Answers:
Why this difference? For one, the capture can be made in such a way that only the first x bytes of the frame are stored. Then the TVB contents will be less than the reported length. answered 26 Sep '11, 10:33 Jaap ♦ |
I think Bill Meier's comment 13 in bug 5403 sum it up nicely, but just to be clear in case you're not familiar with snaplens: During packet capturing, it is possible and sometimes desirable to only capture up to some maximum number of bytes per packet, and not necessarily the whole packet. Wireshark, tshark, dumpcap, (and other packet capturing tools) all have an option for setting this limit and it's generally referred to as the snaplen. When using a snaplen then, the packet can be truncated when captured; however, the original length - i.e. the number of bytes that would have been captured had a snaplen not been set - is still known. So, we have the length, which is the number of bytes actually captured and the reported_length, which is the number of bytes that would have been captured if a snaplen had not been used. answered 26 Sep '11, 10:19 cmaynard ♦♦ Thanks, it's very helpful for me. Regards, Sam (27 Sep '11, 05:39) Sam |
"Underlying protocol" meaning the "layer carrying the data" right? For example, the underlying protocol of HTTP is TCP.