The libpcap packet header structure has 2 length fields: incl_len: the number of bytes of packet data actually captured and saved in the file. This value should never become larger than orig_len or the snaplen value of the global header. orig_len: the length of the packet as it appeared on the network when it was captured. If incl_len and orig_len differ, the actually saved packet size was limited by snaplen. Can any one tell me what is the difference between the 2 length fields? We are saving the packet in entirely then how can the 2 differ? asked 07 Mar '12, 21:17  v j |
One Answer:
If you are capturing the entire packet they do not differ, but if yo have specified that only 96 bytes of each packet should be saved(snap lenght) then incl_lenght will be 96 and orig_len the actual lenght of the packets which makes it possible for a program reading the file to "know" that bytes are "missing". answered 07 Mar '12, 21:58  Anders ♦ |
I am trying to capture TinyOS (telosb mote) packets in wireshark. Wireshark doesnt support direct capture from telosb motes so i am writing a application that fetches the packets and writes to a capture file in pcap format. The problem is the received packets are in TINYOS format so I need to create a 802.15.4 packet from it. I have used the structure Ieee802154_packet (from wirshark) to create the packet and write to the file. Here incl/cap len should be the size of Ieee802154_packet struct? Please correct me if I am wrong.