 | 1 | initial version |
When capturing, the libpcap/npcap library will record how many bytes it has seen on the wire and how many bytes it has saved for each packet:
Frame 874: 1514 bytes on wire, 1000 bytes captured on interface en0, id 0
In dissecting, it uses the bytes on wire to determine how much data there really was before saving the first X bytes. As you are cutting the packets on the VTAP interface to 1000 bytes and then using a snaplength of 800 in tcpdump, you end up with 1000 bytes on wire, 800 bytes captured for any packet of size 1000 or larger. This means if the original packet was 1514 bytes for instance, that 514 bytes were missing from the perspective of the capture point. Wireshark does not know that that was on purpose, so it reports the data as missing.
I assume that when you capture full frames on the VTAP and then only slice to 800 bytes with tcpdump, the expert error messages will disappear, as the capture engine now properly sees the original size of the packets before slicing them.
If this is not the case, could you please share as small example pcap of the problem and also the wireshark version you are using for reading the truncated files?
