On Friday, July 25, 2003, at 8:42 AM, jim feldman wrote:
Date: Thu, 24 Jul 2003 17:55:11 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Ethereal-users] corrupt capture files on freebsd 4.8
On Thursday, July 24, 2003, at 2:52 PM, jim feldman wrote:
I can't seem to save my capture files in libpcap format. It always
complains they're corrupt. If I try and load the saved file, I get
this from the command line.
Message: pcap: File has 103809088-byte packet, bigger than maximum
of 65535
What happens if you try to read the saved file with tcpdump?
Thats when I get the above message.
Tcpdump, or Tethereal? That's an Ethereal/Tethereal message, from code
that's not in tcpdump, so you won't get that with tcpdump.
I suspect, from what you say later, that tcpdump will be able to read
the dump with no problem.
When I try and read one of the capture files from the ethereal
sample area, it core dumps.
I saw an old reference (in the ethereal archives) to problems on
netbsd and zlib and defining z_off_t. I hacked the makefile to pass
without-zlib to configure, and the resulting image works fine. Going
from there, I checked and found my zconf.h was different in
/usr/include and /usr/local/include. Wasn't the issue that defining
z_off_t as a long was "wrong" for ethereal?
The issue is that defining z_off_t in a fashion that doesn't match the
way it was defined inside the zlib with which Ethereal was linked is
wrong for Ethereal. Inside zlib, it's defined as an off_t on systems
that have it (such as all modern UNIX systems); outsize zlib - or, at
least, outside the standard zlib distribution - it's defined
differently depending on whether your application happens to define
HAVE_UNISTD_H or not before including zlib.h.
If you're curious what the full painful story is, see the long comment
in wiretap/file_wrappers.c in the Ethereal source. I think current
versions of all the free-software BSDs have fixed this so that zlib.h
defines z_off_t to match the way it's defined in the library,
regardless of whether HAVE_UNISTD_H is defined. Ethereal also tries to
compensate for that problem (again, see wiretap/file_wrappers.c).
The problem on your machine is, I suspect, that you have two different
versions of zlib installed - the one that came with FreeBSD (which is a
sufficiently current version that the zlib headache is, I think, fixed)
and some other one, and that, somehow, Ethereal is configured and
compiled with the header file from one of them but linked with the
other, and that the two libraries don't have the same size for z_off_t,
or that the port was configured with the native zlib in FreeBSD and
doesn't build a working Ethereal if built on a system that has its own
zlib.
Try un-installing the zlib in /usr/local (header file *and* library)
and redo the Ethereal build from scratch and see whether the resulting
Ethereal works. If so, the problem might be that the port is
configured to build with FreeBSD's zlib, and is getting confused if it
ends up building with another zlib.