Ethereal-users: Re: [Ethereal-users] too big packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 18 Apr 2002 14:43:44 -0700
On Thu, Apr 18, 2002 at 02:37:31PM -0700, von Kuelmer, Ferdinand wrote:
> what happens with a trace when the following error occurs. 
> 
> <<<<Message: pcap: File has 536872960-byte packet, bigger than maximum of
> 65535>>>>

What happens is that Ethereal discards the apparently-corrupted record
in the file, and stops reading the file, showing only the previous
records.

The most likely reasons for this are

	1) the file was transferred from one machine to another using a
	   mechanism that does *NOT* preserve the contents, e.g. FTPing
	   in ASCII rather than binary mode;

	2) the file was written by yet another "improved" version of
	   libpcap that changed the file format without changing the
	   magic number to one not used by the standard libpcap or one
	   of the modified libpcaps that *did* at least change the magic
	   number.

There might be other ways in which the file was corrupted as well.