Wireshark mailing list archives

Re: why does wireshark believe that libpcap has a 65535 max packet size?

From: Guy Harris <guy () alum mit edu>
Date: Wed, 23 Nov 2011 17:06:27 -0800


On Nov 23, 2011, at 4:16 PM, Sam Roberts wrote:

See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.

Seems to me it should be checking this (untested):

 if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!


There is no guarantee that wth->snapshot_length is non-zero, given that not all capture file formats Wireshark supports 
put an explicit snapshot length into the file.

Checking against a maximum packet size prevents Wireshark from trying to allocate a huge amount of memory if you have a 
corrupted packet file, but a larger maximum would make sense.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)
- Re: why does wireshark believe that libpcap has a 65535 max packet size? Guy Harris (Nov 23)
  - Re: why does wireshark believe that libpcap has a 65535 max packet size? Sam Roberts (Nov 23)