The libpcap packet header structure has 2 length fields:
incl_len: the number of bytes of packet data actually captured and saved in the file. This value should never become larger than orig_len or the snaplen value of the global header.
orig_len: the length of the packet as it appeared on the network when it was captured. If incl_len and orig_len differ, the actually saved packet size was limited by snaplen.
Can any one tell me what is the difference between the 2 length fields? We are saving the packet in entirely then how can the 2 differ?
asked 07 Mar '12, 21:17
If you are capturing the entire packet they do not differ, but if yo have specified that only 96 bytes of each packet should be saved(snap lenght) then incl_lenght will be 96 and orig_len the actual lenght of the packets which makes it possible for a program reading the file to "know" that bytes are "missing".
answered 07 Mar '12, 21:58