wireshark如何计算短帧数

How does wireshark calculate number of short frames

Statistics->Protocol Hierarchy 显示各种统计信息,包括短帧计数。 wireshark 如何计算这个,它认为什么是短帧?是不是和抓包时故意截断的包一样? (在这种情况下,struct pcap_pkthdrcaplen 字段将小于 len,这是 IP 负载大小)。

然而,当我实现简单的应用程序(使用 libpcap)来读取 pcap,并以这种方式计算(caplen 与 len)时,我的数字略高于 wireshark 报告的数字。

Wireshark 版本 2.2.6,捕获包含 TLS,即通过 TCP。 Wireshark ProtocolHierarchy 菜单报告 15240 个 SSL 数据包,以及这 15240 个中的 13640 个短帧。

How does wireshark count this, and what does it consider as short frames?

当 Wireshark 捕捉到 BoundsErrorScsiBoundsError 异常时,它会将帧标记为短帧。

来自epan/show_exception.c:41

        proto_short = proto_register_protocol("Short Frame", "Short frame", "_ws.short");

来自epan/show_exception.c:81-104

        case BoundsError:
                {   
                gboolean display_info = TRUE;

                ....................................

                if (display_info)
                        col_append_str(pinfo->cinfo, COL_INFO, "[Packet size limited during capture]");
                proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
                                "[Packet size limited during capture: %s truncated]", pinfo->current_proto);
                /* Don't record BoundsError exceptions as expert events - they merely
                 * reflect a capture done with a snapshot length too short to capture
                 * all of the packet
                 * (any case where it's caused by something else is a bug). */
        }

Is it the same as packets that were intentionally truncated during capturing?

是的,应该是。但我要说的是,可能存在细微差别,因为 Wireshark 不会像您在应用程序中那样直接计算短帧,但计数取决于可能由于某些错误而不会抛出的异常。

(in this case caplen field of struct pcap_pkthdr would be less than len, which is IP payload size).

正确。

However, when I implemented simple application (use libpcap) to read pcap, and counted that way (caplen vs. len), my numbers are slightly higher than what wireshark reports.

它可能是 Wireshark 中的错误,也可能是您的代码中的错误。您可以使用 _ws.short 过滤器查看 Wireshark 中的所有短帧,然后尝试查找您的应用检测为短但 Wireshark 未检测到的帧。

Wireshark Version 2.2.6, capture contains TLS, i.e. over TCP

您的版本有点过时了。最新版本是 3.2.1,因此请考虑升级或至少测试两个版本。