pcap struct pcap_pkthdr len vs caplen

Question

We\'re sniffing packets using libpcap on linux The header we get on each packet looks like:

struct pcap_pkthdr {
        struct timeval ts;      /* time stamp */         


        

Answer 1

Your understanding is correct, at least based on the pcap man page.

caplen is the amount of data available to you in the capture. len was the actual length of the packet.

I'm not aware of any cases that would give you a caplen > len. I usually seem them being equal as my snaplen is sufficiently high.