WinPCap Data Getting Truncated

Question

Working on parsing Arp packets and I found this nice problem.

when receiving an Arp packet I was parsing the target's IP address.

I have c0 a8 in my hex dumb but after that it ends. I am missing data! I see the data in Wireshark but I am not getting the data through WinPCap.

I have yet to run into this issue before. Any ideas SO? So far no memory access errors though. Probably just luck. :x

EDIT: My main look for processing packets is from the example pktdump_ex.

Here is the while line

while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0)

After that is executed, the snalen is 2b.

Answer 1

As noted in he comment, this smells like a faulty snaplen configuration. If you look at the winpcap api docs pcap_open() apidoc, it states:

snaplen,: length of the packet that has to be retained. For each packet received by the filter, only the first 'snaplen' bytes are stored in the buffer and passed to the user application. For instance, snaplen equal to 100 means that only the first 100 bytes of each packet are stored.

As explanation for the second parameter of pcap_open. Unless you provide some more detailed code snippets to work with, this is the closest to an answer we will get.