pcap struct pcap_pkthdr len vs caplen

Question

We're sniffing packets using libpcap on linux The header we get on each packet looks like:

struct pcap_pkthdr {
        struct timeval ts;      /* time stamp */
        bpf_u_int32 caplen;     /* length of portion present */
        bpf_u_int32 len;        /* length this packet (off wire) */
};

Now, It is my understanding that caplen is the length of the data we have captured while len is the length of the packet on the wire. In some cases (e.g. when setting the snaplen too low when opening the pcap device) we might capture only parts of the packet, that length will be 'caplen', while 'len' is the original length. Thus, caplen should be equal to or less than len, but never greater than len.

Is that a proper understanding ? We're seing caplen > len on some machines

Answer 1

Your understanding is correct, at least based on the pcap man page.

caplen is the amount of data available to you in the capture. len was the actual length of the packet.

I'm not aware of any cases that would give you a caplen > len. I usually seem them being equal as my snaplen is sufficiently high.