We're sniffing packets using libpcap on linux The header we get on each packet looks like:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
Now, It is my understanding that caplen is the length of the data we have captured while len is the length of the packet on the wire. In some cases (e.g. when setting the snaplen too low when opening the pcap device) we might capture only parts of the packet, that length will be 'caplen', while 'len' is the original length. Thus, caplen should be equal to or less than len, but never greater than len.
Is that a proper understanding ? We're seing caplen > len on some machines