Tshark crashes

["Alexander Papakhristos" <papakhr () marsat ru>]

Hello,  I began to use tshark as exporter for raw traffic data to pdml
format and have a problem: Tshark crashes on several files during export. I
run it as tshark.exe -r <raw_traffic_file_path> -n -T pdml -V >out.xml.
I've received a following error:

Unhandled exception ("emem.c:792: failed assertion "size<((10 * 1024 *
1024)>>2)"", group=1, code=4). After some kind of investigation, I found the
problem appears when Tshark is writing (in pdml format) the packet
containing field data.data (in any proto node) with size more than 2.5 MB.

 

Example (I've replaced non-important values with :):

  <proto name=": ">

    <field name="data" value=":">

      <field name="data.data" showname="Data:..." size="2754632" pos=":"
show=": " value=":"/>

      <field name="data.len" showname="Length: 2754632" size="0" pos=":"
show="2754632"/>

   </field>

</proto>

 

How can I fix it? I can use filter to exclude packet with data.len >2.5MB
("(data and  data.len < 2500000) or !data") but that's not very good
solution. It seems tshark analyzes all packets fragments and writes entire
data to the first packet in the block. Is there any way to disable that
behavior?

 

Thanks in advance.

 

With best regards, Alexander

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe