---------------------------------------------------------------------------------- Ethernet packet 'length' questions On my system, in the .../zeek-4.0.0-rc3/src/iosource/Packet.h file, the following two lines exist: uint32_t len; /// Actual length on wire uint32_t cap_len; /// Captured packet length I'm trying to understand the difference between these two variable. Previously, using the Zeek 3.2.3 version of this source file, the "len" and "cap_len" seemed to have the same value .. as I stepped through this file using the LLDB debuger. Sooo, 1) Regarding the above "len" field, is it the length of the Ethernet "packet"? (Or, the length of the Ethernet "frame?) According to wikipedia.com (https://en.wikipedia.org/wiki/Ethernet_frame), an Ethernet packet includes: A 7 octet "Preamble" A 1 octet "Start frame delimiter" (SFD) Then, the Ethernet "frame". The Ethernet "frame", starts at the "destination MAC" field. (and extends through the "Frame check sequence" field. 2 What does the "cap_len" variable contain? 1) The length of the Ethernet packet (include the Preamble & SFD) -or- 2) The length of the Ethernet frame? (Where the "length" field is the size of the "payload" and is always < 1500 bytes long) 3) Or, something else? ---------------------------------------------------------------------------------- On my system, in the ...zeek-4.0.0-rc3/src/packet_analysis/protocol/ip/IP.cc file: At approximately line 75, the following source lines appear: // total_len is the length of the packet minus all of the headers so far, including IP uint32_t total_len = packet->ip_hdr->TotalLen(); if ( total_len == 0 ) { // TCP segmentation offloading can zero out the ip_len field. Weird("ip_hdr_len_zero", packet); I then looked at the code (and documentation) behind the call to: packet->ip_hdr->TotalLen(); In the source file ...zeek-4.0.0-rc3/src/IP.h, the documentation for the "TotalLen()" method states that: /** * Returns the length of the IP packet (length of headers and payload). */ I then traced the value of the ip4-len field down into the file /Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/netinet/ip.h (Note: This source is on a Mac OS X platform. The path under Linux will be different.) The ip.h file documentation states: u_short ip_len; /* total length */ So, my conclusion is, that the TotalLen() routine returns the length of the IP header IP packet payload. But, line 75 of the file ...zeek-4.0.0-rc3/src/packet_analysis/protocol/ip/IP.cc file, states: // total_len is the length of the packet minus all of the headers so far, including IP Based on this comment, the "total_len" would not include: the length of the Ethernet header the length of the IP header. So, is this comment correct? Or, should it say something like: // total_len is the length of the Ethernet packet minus the Ethernet header Thanks! ----------------------------------------------------------------------------------------