Home/ Questions/Q 7610855
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T01:31:12+00:00

The libpcap packet header structure has 2 length fields: typedef struct pcaprec_hdr_s { guint32

  • 0

The libpcap packet header structure has 2 length fields:

typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

incl_len: the number of bytes of packet data actually captured and saved in the file. This value should never become larger than orig_len or the snaplen value of the global header.

orig_len: the length of the packet as it appeared on the network when it was captured. If incl_len and orig_len differ, the actually saved packet size was limited by snaplen.

Can any one tell me what is the difference between the 2 length fields? We are saving the packet in entirely then how can the 2 differ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Reading through the documentation at the Wireshark wiki ( http://wiki.wireshark.org/Development/LibpcapFileFormat ) and studying an example pcap file, it looks like incl_len and orig_len are usually the same quantity. The only time they will differ is if the length of the packet exceeded the size of snaplen, which is specified in the global header for the file.

    I’m just guessing here, but I imagine that snaplen specifies the size of the static buffer used for capturing. In the event that a packet was too large for the capture buffer, this is the format’s method for signaling that fact. snaplen is documented to “usually” be 65535, which is large enough for most packets. But the documentation stipulates that the size might be limited by the user.

    • 0