Wireshark mailing list archives
Re: why does wireshark believe that libpcap has a 65535 max packet size?
From: Sam Roberts <vieuxtech () gmail com>
Date: Wed, 23 Nov 2011 17:31:36 -0800
On Wed, Nov 23, 2011 at 5:06 PM, Guy Harris <guy () alum mit edu> wrote:
On Nov 23, 2011, at 4:16 PM, Sam Roberts wrote:See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c. Seems to me it should be checking this (untested): if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!There is no guarantee that wth->snapshot_length is non-zero, given that not all capture file formats Wireshark supports put an explicit snapshot length into the file.
If wth->snapshot_length is zero, assuming it's WTAP_MAX_PACKET_SIZE would make a lot of sense, and I can see some kind of upper max on memory usage, but 65K is a pretty small chunk of memory nowadays. Arguably, we are abusing the pcap format, but we really want to record sequences of large packets in pcap format, for ease of dissection and working with. I was hoping there would be a LINK_TCP for raw TCP data, but in the absence, we are encapsulating the data in fake TCP/IP/ETH headers, and the end result is sometimes over 0xffff by the size of the encapsulation. If the WTAP max was 66000 even, we'd be good! Cheers, Sam ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)
- Re: why does wireshark believe that libpcap has a 65535 max packet size? Guy Harris (Nov 23)
- Re: why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)
- Re: why does wireshark believe that libpcap has a 65535 max packet size? Guy Harris (Nov 23)