I am guessing sniff.lsp was ported from sniffex.c, as it suffers from the same fundamental problem with malformed packets.
From the sniffex.c source code:
Take the IP *total* length field - "ip_len" in "struct sniff_ip" - and, first, check whether it's less than ip_hl*4 (after you've checked whether ip_hl is >= 5). If it is, you have a malformed IP datagram.
Otherwise, subtract ip_hl*4 from it; that gives you the length of the TCP segment, including the TCP header. If that's less than th_off*4 (after you've checked wheteher th_off is >= 5), you have a malformed TCP segment.
Otherwise, subtract th_off*4 from it; that gives you the length of the TCP payload.
In the security world, many packets are sent with malformed IP, TCP, ICMP or UDP datagrams. Because of this, I need to be able to extract the malformed packet content and see what was done by the attacker.
Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).
I have a small pcap file which illustrates the problem
https://www.openpacket.org/capture/grab/61
When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):
--- 3--- time: 15:12:56.26937 capture-length:60
from ether addr: 00:18:01:3b:88:47 to: 00:0d:93:64:0f:4e
UDP from 88.196.140.131 port:29285 to 192.168.1.125 port:24
payload length:-6
However, if I load Wireshark (or tcpdump), they both read the pcap file correctly and see a 2 byte payload.
I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.
P.S. I am also using sniff.lsp as a module.