Wireshark mailing list archives

Re: why does wireshark believe that libpcap has a 65535 max packet size?


From: Sam Roberts <vieuxtech () gmail com>
Date: Wed, 23 Nov 2011 17:31:36 -0800

On Wed, Nov 23, 2011 at 5:06 PM, Guy Harris <guy () alum mit edu> wrote:
On Nov 23, 2011, at 4:16 PM, Sam Roberts wrote:
See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.

Seems to me it should be checking this (untested):

 if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!

There is no guarantee that wth->snapshot_length is non-zero, given that not all capture file formats Wireshark 
supports put an explicit snapshot length into the file.

If wth->snapshot_length is zero, assuming it's  WTAP_MAX_PACKET_SIZE
would make a lot of sense, and I can see some kind of upper max on
memory usage, but 65K is a pretty small chunk of memory nowadays.

Arguably, we are abusing the pcap format, but we really want to record
sequences of large packets in pcap format, for ease of dissection and
working with. I was hoping there would be a LINK_TCP for raw TCP data,
but in the absence, we are encapsulating the data in fake TCP/IP/ETH
headers, and the end result is sometimes over 0xffff by the size of
the encapsulation. If the WTAP max was 66000 even, we'd be good!

Cheers,
Sam
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


Current thread: