Wireshark · Wireshark-dev: Re: [Wireshark-dev] 4GB limit for RPC dissector?

Wireshark-dev: Re: [Wireshark-dev] 4GB limit for RPC dissector?

From: John Thacker <johnthacker@xxxxxxxxx>

Date: Fri, 26 Jan 2024 06:46:12 -0500

On Fri, Jan 26, 2024, 4:27 AM Linux Smiths <linuxsmiths@xxxxxxxxx> wrote:

Can someone confirm this or if anyone has used wireshark/tshark to decode RPC streams greater than 4GB your confirmation will be helpful too. Btw I've tried all the protocol preferences and nothing helps.

Thanks,
LS

It's a known issue, sorry, that affects anything over TCP that needs desegmentation. That's when the TCP sequence number rolls over. See here:

https://gitlab.com/wireshark/wireshark/-/issues/10503

https://gitlab.com/wireshark/wireshark/-/issues/19331

Fixing it involves having some kind of extended sequence number and changing certain lookups for old segments. Unlike an ordinary network stack, Wireshark (and and also tshark, even in one pass mode) can't just discard old segments but keeps information around so that random packet access is possible.

John Thacker

Follow-Ups:
- Re: [Wireshark-dev] 4GB limit for RPC dissector?
  - From: Linux Smiths

References:
- [Wireshark-dev] 4GB limit for RPC dissector?
  - From: Linux Smiths

Prev by Date: [Wireshark-dev] 4GB limit for RPC dissector?
Next by Date: Re: [Wireshark-dev] 4GB limit for RPC dissector?
Previous by thread: [Wireshark-dev] 4GB limit for RPC dissector?
Next by thread: Re: [Wireshark-dev] 4GB limit for RPC dissector?
Index(es):
- Date
- Thread