Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message

From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Mar 2010 11:53:03 -0400
Chris

All I did was create this dissector. All of the customers (whom are running our software) use this dissector that I created. The customer has captured 1000's of packets using this dissector with no problem.

They sent me this .pcap file and told me that it crashes.... and I noticed the "Packet Size limited during capture" message. So I have no idea what program they used to capture the packets and what the
value of snaplen was.

Generally...if they want to take a snap shot of what is on the network... they just open up wireshark (most customers have winXp boxes)...let it run for a little bit... then do a stop and save as .pcap.
But when they tried to play back this .pcap file it crashes.

Is there anything else I can do..??

So I guess what you are saying is that my code is working properly....but the packet was too big ...so it truncated the packet (because the snaplen was too small) therefore making the code crash because it was expecting a "end of packet code"... which it never got because it was truncated..?? Is my assumption correct..??

Thanks,
Brian



Maynard, Chris wrote:
"Packet Size limited during capture" tells me that the packet was bigger than the snaplen set, so the packet was truncated when captured.  In Wireshark, the snaplen is set in the capture options dialog using the "Limit each packet to ___ bytes" option, and with dumpcap, tshark and tcpdump it is set via the "-s <snaplen>" option.  If not specified, tcpdump uses a default snaplen of 68 (or 96, depending on the platform).  Which program did you use to capture the packets and what was the value of the snaplen vs. what was the expected number of bytes for the packet in question?

Too bad the snaplen information isn't available through capinfos, but you can find out the snaplen via Wireshark's Statistics -> Summary window, listed as "Packet size limit".

- Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Mike Morrin
Sent: Monday, March 22, 2010 2:59 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packet Size limited during capture message


When I run a pcap file with my dissector in place wireshark crashes (win32.dll error).

But I was able to run the pcap file and stop the loading process before it crashed and one thing that I noticed
was in the info column it said "Packet Size limited during capture".

I never saw this before...does anybody know what this means..?? Could this be why it was crashing..??

MM- I have seen "Packet Size limited during capture" due to a bug where
a dissector assumed that a PDU always had a data segment at the end, but
occasionally one didn't.  That would not directly cause your crash, you
probably have 2 bugs.

Try running with a breakpoint in do_throw() (around line 182 in except
.c), on a trace that has only the packet(s) that cause the problem.



CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe