On Sep 1, 2011, at 1:09 PM, Glenn Matthews wrote:
> I'm working on a new dissector for a TCP-based protocol. I think I've got the dissector successfully handling fragmented packets (using tcp_dissect_pdus), and I think I've got the dissector successfully handling truncated packets ("packet size limited during capture") but what do I need to do for captures where both apply?
Add support for reassembly of cut-off-by-the-snaplen packets to Wireshark.
I.e.:
> Is this a known limitation in Wireshark,
Yes.
It might be possible to remove that limitation, but it'd probably be tricky. I'd suggest using "-s 0" as the argument to tcpdump when capturing (the "96" sounds suspiciously like the default snapshot length for IPv6-capable tcpdump until the recent changes to default to 65535, that being what you get with "-s 0" in tcpdumps from the past N years for some value of N).