Thanks for the pcap Haiyan. I'm curious as to how this pcap was generated? I looked at the raw pcap file, and it seems broken. The reason for this is that the pcap file header stores the 'snaplen' used for capture of this file. In this file it is set to 100 bytes (0x64). The snaplen is the global maximum packet size stored by libpcap- any packet larger then the snaplen size is supposed to be truncated. tcpdump uses the '-s' flag to change the snaplen size.
Now each packet in a pcap file is prefaced with a pcap packet header. This header contains among other things two values: 1) The size of the original packet (390 bytes in this case) aka 'len' 2) The size of the data actually stored in the pcap file (also 390 in this case) aka 'caplen' Now a proper pcap file should never have a packet where the 'caplen' > 'snaplen', but in your case this is exactly what has happened. Regardless, when I process this pcap file using libpcap it reports that there are only 100 bytes available, not the whole 390. Hence the problem you're seeing. Honestly, this isn't the first time I've seen this problem, but I don't know what causes it. The "good news" is that tcpreplay 3.x has a --pktlen flag which tells tcpreplay to ignore the caplen value and use the original packet len value instead. Honestly though, your best solution is to figure out why your pcap file is broken and make sure it doesn't happen again. If you captured this packet using a standard tool like tcpdump, I'd love to learn more so that I can add this info to the FAQ. Regards, Aaron -- Aaron Turner http://synfin.net/ On 11/29/06, Aaron Turner <[EMAIL PROTECTED]> wrote: > Hi Haiyan, > > Never seen that before. Could you be so kind as to send me the msg.cap file? ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
