Problem using pcap packet sniffer


I am studying the code of a packet sniffer which is using pcap_loop to receive the packet bytes.

The packet handler is pcap_cb.

The problem is,

It returns different value of  pkthdr->len  and  pkthdr->caplen.

pkthdr->caplen = 68, pkthdr->len = 161

This results in capturing only 68 bytes in buf.  However I have to receive the full 161 bytes of data.

Can anyone please suggest me what should I change in order to get all 161 bytes in buf.

Thanks & Regards,

pcap_loop(device.dev_desc, -1, pcap_cb, (u_char *) &cb_data);
void pcap_cb(u_char *user, const struct pcap_pkthdr *pkthdr, const u_char *buf)
  struct packet_ptrs pptrs;
  struct pcap_callback_data *cb_data = (struct pcap_callback_data *) user;
  struct pcap_device *device = cb_data->device; 
  struct plugin_requests req;
  FILE *fp;
  int i;
  fp = fopen("/var/log/pmacct_logs.txt", "a+");  
  fprintf(fp, "pkthdr->caplen = %d, pkthdr->len = %d\n",pkthdr->caplen,pkthdr->len);

Open in new window

Who is Participating?
Infinity08Connect With a Mentor Commented:
pkthdr->len is the total size of the packet.
pkthdr->caplen is the size that was captured.

If caplen = 68 < len, the most likely reason is that snaplen is still set to the default (68). Provide a higher snaplen value when you open the network device for capturing (using pcap_open_live).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.