spin-pcap-reader and packets larger than 1514

[frankvandenhurk]

Hi,

Just added a VLAN with regular windows machines instead of just IoT devices. Spin-pcap-reader gives the following error's:

spin-pcap-reader: caplen 1514 != len 1684,
spin-pcap-reader: Truncated IP packet: 170 bytes missing
spin-pcap-reader: caplen 1514 != len 2283,
spin-pcap-reader: Truncated IP packet: 769 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2292,
spin-pcap-reader: Truncated IP packet: 778 bytes missing
spin-pcap-reader: caplen 1514 != len 2291,
spin-pcap-reader: Truncated IP packet: 777 bytes missing
spin-pcap-reader: caplen 1514 != len 2283,
spin-pcap-reader: Truncated IP packet: 769 bytes missing
spin-pcap-reader: caplen 1514 != len 2292,
spin-pcap-reader: Truncated IP packet: 778 bytes missing
spin-pcap-reader: caplen 1514 != len 2292,
spin-pcap-reader: Truncated IP packet: 778 bytes missing
spin-pcap-reader: caplen 1514 != len 2922,
spin-pcap-reader: Truncated IP packet: 1408 bytes missing
spin-pcap-reader: caplen 1514 != len 2921,
spin-pcap-reader: Truncated IP packet: 1407 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2292,
spin-pcap-reader: Truncated IP packet: 778 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2285,
spin-pcap-reader: Truncated IP packet: 771 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2287,
spin-pcap-reader: Truncated IP packet: 773 bytes missing
spin-pcap-reader: caplen 1514 != len 2974,
spin-pcap-reader: Truncated IP packet: 1460 bytes missing
spin-pcap-reader: caplen 1514 != len 3895,
spin-pcap-reader: Truncated IP packet: 2381 bytes missing
spin-pcap-reader: caplen 1514 != len 2974,
spin-pcap-reader: Truncated IP packet: 1460 bytes missing
spin-pcap-reader: caplen 1514 != len 3430,
spin-pcap-reader: Truncated IP packet: 1916 bytes missing
spin-pcap-reader: caplen 1514 != len 2284,
spin-pcap-reader: Truncated IP packet: 770 bytes missing
spin-pcap-reader: caplen 1514 != len 2292,
spin-pcap-reader: Truncated IP packet: 778 bytes missing

As you can see, the missing bytes are exactly the difference between 1514 and the actual length of the pakcet. Looks like there are valid packets with more than 1514 bytes?

NB: I have a network build with components from Unifi and haven't changed the MTU settings

[cschutijser]

As you can see, the missing bytes are exactly the difference between 1514 and the actual length of the pakcet. Looks like there are valid packets with more than 1514 bytes?

Indeed. I don't really have an explanation for this, other than the MTU being higher than 1500 (but maybe I'm missing something). Have you verified the actual MTU?

In any case, you can tell spin-pcap-reader to deal with this by increasing 1514 to some other number with the -s flag. But that has the downside that more time is spent on handling each packet, which increases the number of packets that spin-pcap-reader doesn't see.

[frankvandenhurk]

I'v checked the config of the Unifi network and is was on default (1500). Changed it to 1452 to test, but still error's:

spin-pcap-reader: caplen 6000 != len 33638, spin-pcap-reader: Truncated IP packet: 27638 bytes missing spin-pcap-reader: caplen 6000 != len 7358, spin-pcap-reader: Truncated IP packet: 1358 bytes missing spin-pcap-reader: caplen 6000 != len 11738, spin-pcap-reader: Truncated IP packet: 5738 bytes missing spin-pcap-reader: caplen 6000 != len 17578, spin-pcap-reader: Truncated IP packet: 11578 bytes missing

[cschutijser]

I think that's similar to what you have reported in issue #92 so let's continue the conversation there.