Guy
The snaplen was set to 150 when using tshark.
I see a Frame that says (for example): Frame 7 (341 bytes on wire,
150 bytes captured).
But looking at the detailed view of this packet... it actually looks
good until you get to the end... it is truncated.
And NO... the pcap file doesn't crash when the dissector is removed. I
can load about 70% of it and hit stop....but
if I let it go any further it will crash wireshark.
Like I said in my email to martin.... if I followed all the wireshark
coding standards... shouldn't the code handle this..??
What should be my next step..??
Thanks for your help
Brian
Guy Harris wrote:
On Mar 21, 2010, at 9:14 PM, Brian Oleksa wrote:
But I was able to run the pcap file and stop the loading process before
it crashed and one thing that I noticed
was in the info column it said "Packet Size limited during capture".
In the detail view for the packet that has "Packet Size limited during capture", the topmost line ("Frame {N}") should say "{N} bytes on wire, {M} bytes captured" (it might also give some numbers of bits). Is {N} greater than {M}? If so, that's the problem - the packets were captured with a snapshot length specified, so that at most the first {M} bytes of the packet were saved to the file.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe