Wireshark-dev: Re: [Wireshark-dev] Why am I getting a BoundsError?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 25 Oct 2006 17:02:58 -0700
Andrew Schweitzer wrote:
I'm writing a dissector for a proprietary protocol and using tcp_dissect_pdus. Our packets can be 2k, and sometimes I seem to get incorrectly parsed messages in the gui. I see the text in the gui "Packet size limited during capture".

I found this in packet-frame.c, and apparently I'm getting a "BoundsError", possibly because my "snapshot length too short".

Any idea what's going on here?

In a packet that gets a BoundsError, what are the captured length and (actual) length in the "Frame" section of the packet detail pane?

If the captured length is less than the actual length, that's because the snapshot length used when the capture was made was less than the actual size of the link-layer packet on the wire; that means that not all data in the link-layer packet is available in the capture.

If that's the case, then:

Is there something I can do to fix it? Either in code or in settings?

...you fix it by increasing the snapshot length. The default snapshot length in Wireshark and Tshark is 65535, which should be big enough for any link-layer packet; however, the default snapshot length in tcpdump is 68 bytes (for tcpdump built without IPv6 support) or 96 bytes 9for tcpdump built with IPv6 support), and you need to use the "-s" flag (with the argument 0, unless it's a really old tcpdump, in which case you need the argument 65535) to increase the snapshot length.