On Fri, May 02, 2003 at 11:44:07PM +0200, Joerg Mayer wrote:
> On Fri, May 02, 2003 at 09:20:19AM -0500, John H. Critchfield Jr. wrote:
> > Unknown. NAI Sniffer and other protocol analyzers decode the entire frame.
> > Even when the capture is specified to capture more than the 28 bytes,
> > Ethereal does not. Perhaps some parameter I have not yet located should be
> > adjusted. Any ideas?
> >
> > Win 95B , Ethereal 1.3.0 binary - I did not re-compile it, WinPCAP 3.0.
>
> OK, let me summarize:
> You have capture files (in sniffer format?) that Ethereal decodes incorrectly
> in the current version.
Or perhaps what he really means is "NAI Sniffer and other protocol
analyzers *capture* the entire frame", and the only reason he
interpreted it as Ethereal not *decoding* the entire frame is that he's
only used Ethereal to read its own captures (or perhaps captures from
WinDump).
The way to tell which of those two he means is to capture using the
Sniffer (which is presumably running on the same machine), save the
capture to a file, and have Ethereal read the file from the Sniffer.
If the entire frame appears, then it's not that Ethereal isn't
*decoding* the entire frame, it's that Ethereal isn't *capturing* the
entire frame.
If so, then it is almost certainly a WinPcap problem, in which case
there's nothing Ethereal can do about it. He should download WinDump:
http://windump.polito.it/
and try capturing with it - and should specify, with the "-s" flag, the
maximum number of bytes of each packet that should be saved (65535 is
the right answer if he wants *all* of the packet). He should use the
"-w" flag to save the capture to a file, and then try to read the
capture with Ethereal.
If the packets are still cut off at 28 bytes, then it's a WinPcap
problem, and he should follow the bug-reporting procedure described in
http://winpcap.polito.it/contact.htm
*including* the steps about downloading and installing the special
"packet.dll" version and sending off *all* the special files written out
by WinPcap.