On Jul 20, 2009, at 3:41 PM, Joshua (Shiwei) Zhao wrote:
I believe it's a bug there, at least in 1.0.4 I'm using.
I don't believe all packets have that big headers over 500 bytes.
What matters is whether all the data dissected in the packet is bigger
than the snapshot length; in an SMB request or response, for example,
that would include any radio header the packet has, the 802.11 header,
the IP header, the TCP header, the NetBIOS-over-TCP or SMB-over-TCP
header, and the entire SMB message, with the possible exception of
data in a read reply or write request.
The code must checked the whole data payload size, instead of only
checking the header length when it tries to dissect and throw an
execption.
I'll try to debug. Meanwhile any hints/suggestions are welcome.
Could you extract from the capture file one of the packets that's
claimed to have been cut short and send it to us?