How to tell if a PCAPNG file was captured with a limited snap length when parsing with SharpPCap in C#?

Question

This seems like a stupid question, but I can't find any way to tell if a packet was only partially captured. All the data lengths I can find in the packet structures use the lengths from the header, and even the byte structures appear to fill out the data with garbage. I.E., if I capture 50 bytes of a 768 byte packet, there are 768 bytes of 'data' in the packet.

The Wireshark source seems to require an exception when parsing a packet to know it was only partially captured. I am only reading the headers information, so I am not parsing anything past the TCP header.

What I really want to do is build a progress bar that works for snap length limited captures, if there is a way to just do that.

Thanks,

Answer 1

If you hit ctrl+c on a packet capture being taken wiht tshark or tcpdump, you can replicate this. The fields captured length and actual length in pcap and pcapng packet headers will differ if the capture is interrupted in the middle of a packet.

Per the documentation, for a single packet header, the relevant fields are:

Public Fields
  CaptureLength uint . The the bytes actually captured. If the capture length is 
                         small CaptureLength might be less than PacketLength  
  PacketLength  uint . The length of the packet on the line

I am not seeing pcapng code in the sharppcap repo, so it's unlikely a parser has been implemented.