Wireshark · Wireshark-dev: [Wireshark-dev] Is snaplen check in editcap.c correct?

Wireshark-dev: [Wireshark-dev] Is snaplen check in editcap.c correct?

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>

Date: Tue, 19 Jul 2011 12:35:36 +0100

Hi,

I'm using editcap with Catapult DCT2000 log files. The wiretap module doesn't set wth->snapshot_len, so its coming out as 0.
It was intentionally left as 0, as I thought this corresponded to "we have the whole frame, its not truncated". Most other wiretap modules seem to do the same.

editcap.c has this test:

        if(phdr->caplen > wtap_snapshot_length(wth)) {
            fprintf(stderr, "Warning: packet %d too big for file type, skipping it...\n", count);
            count++;
            continue;
        }

which will discard any packet which has the snapshot length set to 0.

I'm happily using this test instead, i.e. only do the comparison if its non-zero.

        if((wtap_snapshot_length(wth) != 0) && (phdr->caplen > wtap_snapshot_length(wth))) {
            fprintf(stderr, "Warning: packet %d too big for file type, skipping it...\n", count);
            count++;
            continue;
        }

Would it be correct to check in this change?
Should the wiretap modules set some large value for the snapshot length instead?

Thanks,
Martin

Follow-Ups:
- Re: [Wireshark-dev] Is snaplen check in editcap.c correct?
  - From: Jeff Morriss

Prev by Date: Re: [Wireshark-dev] mix of c and C++
Next by Date: [Wireshark-dev] Bad package created from 1.7.0
Previous by thread: [Wireshark-dev] undefined reference to proto_register_protocol
Next by thread: Re: [Wireshark-dev] Is snaplen check in editcap.c correct?
Index(es):
- Date
- Thread