Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Packet 6 in the capture has both the length and captured length as 355 bytes. The total length field in the IPv4 header is 344 bytes; as RFC 791 section 3.1 says, "Total Length is the length of the datagram, measured in octets, including internet header and data." The packet also has a 14-byte Ethernet header, so the total length of the packet should be 344+14 = 358 bytes.

So the packet was written incorrectly. If it was written by code running in Scapy, either Scapy has a bug or the code running in Scapy has a bug.

If I use the View > Reload as File Format/Capture item to cause Wireshark to read the raw file and show the internal structure of the file, packet 6 has a captured length of 358 bytes and an "on the network length" of 355 bytes. It is never valid for the captured length to be larger than the on-the-network length.