pcap struct pcap_pkthdr len vs caplen [英] pcap struct pcap_pkthdr len vs caplen

问题描述

我们在 Linux 上使用 libpcap 嗅探数据包我们在每个数据包上获得的标头如下所示:

We're sniffing packets using libpcap on linux The header we get on each packet looks like:

struct pcap_pkthdr {
        struct timeval ts;      /* time stamp */
        bpf_u_int32 caplen;     /* length of portion present */
        bpf_u_int32 len;        /* length this packet (off wire) */
};

现在，我的理解是 caplen 是我们捕获的数据的长度，而len 是数据包在线路上的长度.在某些情况下(例如，当打开 pcap 设备时将 snaplen 设置得太低时)我们可能只捕获数据包的一部分，该长度将是 'caplen'，而 'len' 是原始长度.因此，caplen 应该等于或小于 len，但绝不能大于 len.

Now, It is my understanding that caplen is the length of the data we have captured while len is the length of the packet on the wire. In some cases (e.g. when setting the snaplen too low when opening the pcap device) we might capture only parts of the packet, that length will be 'caplen', while 'len' is the original length. Thus, caplen should be equal to or less than len, but never greater than len.

这是一个正确的理解吗?我们在某些机器上看到 caplen > len

Is that a proper understanding ? We're seing caplen > len on some machines

推荐答案

你的理解是正确的，至少基于 pcap 手册页.

Your understanding is correct, at least based on the pcap man page.

caplen 是捕获中可用的数据量.len 是数据包的实际长度.

caplen is the amount of data available to you in the capture. len was the actual length of the packet.

我不知道有任何情况会给你一个 caplen > len.我通常看起来它们相等，因为我的 snaplen 足够高.

I'm not aware of any cases that would give you a caplen > len. I usually seem them being equal as my snaplen is sufficiently high.

这篇关于pcap struct pcap_pkthdr len vs caplen的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！