1

This seems like a stupid question, but I can't find any way to tell if a packet was only partially captured. All the data lengths I can find in the packet structures use the lengths from the header, and even the byte structures appear to fill out the data with garbage. I.E., if I capture 50 bytes of a 768 byte packet, there are 768 bytes of 'data' in the packet.

The Wireshark source seems to require an exception when parsing a packet to know it was only partially captured. I am only reading the headers information, so I am not parsing anything past the TCP header.

What I really want to do is build a progress bar that works for snap length limited captures, if there is a way to just do that.

Thanks,

J. Lambert
  • 11
  • 1

1 Answers1

0

If you hit ctrl+c on a packet capture being taken wiht tshark or tcpdump, you can replicate this. The fields captured length and actual length in pcap and pcapng packet headers will differ if the capture is interrupted in the middle of a packet.

Per the documentation, for a single packet header, the relevant fields are: 

Public Fields
  CaptureLength uint . The the bytes actually captured. If the capture length is 
                         small CaptureLength might be less than PacketLength  
  PacketLength  uint . The length of the packet on the line

I am not seeing pcapng code in the sharppcap repo, so it's unlikely a parser has been implemented.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
  • From a *very* quick look at the SharpPcap code, it calls libpcap to parse the packets, rather than parsing them itself, so, if it's using a sufficiently recent version of libpcap (1.1, on UN\*X - on Windows, I don't think WInPcap is based on a sufficiently recent version, but Npcap is), in which libpcap can read some pcapng files, so can ShapPcap. – user13251981 May 08 '20 at 23:26
  • Looking at the code, SharpPcap provides bindings for the packet header fields for pcap files when using libpcap, but NOT for winpcap or npcap. Note that the packet header is not the packet or the pcap header. I do not see any bindings for the enhanced packet blocks of pcapng in the directories for libpcap, winpcap, npcap. If there is any pcapng functionality in this project, it does appear in any documentation or code. – Ross Jacobs May 09 '20 at 01:56
  • It also looks like there is basic packet parsing in one the [library dependencies](https://github.com/chmorgan/packetnet/blob/master/PacketDotNet/Packet.cs), but only one length is retrieved here. – Ross Jacobs May 09 '20 at 02:14