Packet count differing between Wireshark and Libtins

[pjattke]

Dear Community, I am encountering the following issue when reading my sample PCAP file [1]: The amount of packets displayed in Wireshark is 1 375 475, whereas Libtins only processes 1 374 068 packets. I use the following code to process the file:

       FileSniffer sniffer(file_path);
        packet_count=0;
        for (SnifferIterator i = sniffer.begin(); i != sniffer.end(); i++) {
            packet_count++;
        }
        std::cout << "#packets: " << packet_count << std::endl;

I also tried alternative methods of reading the file, like the followings - but this did not change anything in the packet_count.

        FileSniffer s(file_path);
        size_t c =0;
        for (auto &packet : s) {
            c++;
        }
        std::cout << "A #packets: " << c << std::endl;

        FileSniffer x(file_path);
        x.sniff_loop(count_packets);
        std::cout << "There are " << counter << " packets in the pcap file\n";

Can anyone explain me this strange behavior? I tried the same task with the PcapPlusPlus library, it returned me the same value as Wireshark.

Thanks a lot for your support!

[1] Sample PCAP File: 95M.pcap

[mfontanini]

The issue is that some packets are truncated (when the capture was done, the maximum snap length on the capture was lower than the MTU). Hence, libtins fails to parse some layer because it expects more data than there actually is. This is somehow a limitation that at some point I'd like to change though!