Wireshark mailing list archives

why does wireshark believe that libpcap has a 65535 max packet size?

From: Sam Roberts <vieuxtech () gmail com>
Date: Wed, 23 Nov 2011 16:16:11 -0800

See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.

Seems to me it should be checking this (untested):

  if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!

Attached file can be read by tcpdump, but wireshark chokes on it.

And yes, the IP and TCP packets are fake/invalid, but the pcap is valid!

Cheers,
Sam

Attachment: _.pcap.zip
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)
- Re: why does wireshark believe that libpcap has a 65535 max packet size? Guy Harris (Nov 23)
  - Re: why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)