[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

Problem using pcap packet sniffer


I am studying the code of a packet sniffer which is using pcap_loop to receive the packet bytes.

The packet handler is pcap_cb.

The problem is,

It returns different value of  pkthdr->len  and  pkthdr->caplen.

pkthdr->caplen = 68, pkthdr->len = 161

This results in capturing only 68 bytes in buf.  However I have to receive the full 161 bytes of data.

Can anyone please suggest me what should I change in order to get all 161 bytes in buf.

Thanks & Regards,

pcap_loop(device.dev_desc, -1, pcap_cb, (u_char *) &cb_data);
void pcap_cb(u_char *user, const struct pcap_pkthdr *pkthdr, const u_char *buf)
  struct packet_ptrs pptrs;
  struct pcap_callback_data *cb_data = (struct pcap_callback_data *) user;
  struct pcap_device *device = cb_data->device; 
  struct plugin_requests req;
  FILE *fp;
  int i;
  fp = fopen("/var/log/pmacct_logs.txt", "a+");  
  fprintf(fp, "pkthdr->caplen = %d, pkthdr->len = %d\n",pkthdr->caplen,pkthdr->len);

Open in new window

1 Solution
pkthdr->len is the total size of the packet.
pkthdr->caplen is the size that was captured.

If caplen = 68 < len, the most likely reason is that snaplen is still set to the default (68). Provide a higher snaplen value when you open the network device for capturing (using pcap_open_live).

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now