Wireshark-dev: [Wireshark-dev] Wireshark / TShark Record Length: Stops Display

From: Nalini J Elkins <nalini.elkins@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Aug 2017 16:26:33 +0000 (UTC)
Guys,

I am testing some test code for the new PDM IPv6 Destination Option (https://datatracker.ietf.org/doc/draft-ietf-ippm-6man-pdm-option/) which is now in the RFC Editor's queue, so should get an RFC number soon!

Anyway, what is happening is that we have a bug in the record length (I suspect!) when there is IP fragmentation.  At least, we are trying to fix our issues with an IP fragmentation bug in our code.  The message I get from Wireshark is:

"The capture file appears to be damaged or corrupt. (pcap: File has 172958905-byte packet, bigger than maximum of 262144)"

I suspect that is an invalid packet that we have created.  But, the problem is that both Wireshark & TShark stop decrypting at that point so I can't see the packet itself.  The capture file is pretty large: about 700KB but only 239 packets are decrypted.  I suspect our problem is in packet 240!

Any hints on what I might do?
 
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360