Wireshark · Wireshark-users: Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?

Wireshark-users: Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max pa

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 23 Nov 2011 17:06:27 -0800

On Nov 23, 2011, at 4:16 PM, Sam Roberts wrote:

> See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.
> 
> Seems to me it should be checking this (untested):
> 
>  if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!

There is no guarantee that wth->snapshot_length is non-zero, given that not all capture file formats Wireshark supports put an explicit snapshot length into the file.

Checking against a maximum packet size prevents Wireshark from trying to allocate a huge amount of memory if you have a corrupted packet file, but a larger maximum would make sense.

Follow-Ups:
- Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
  - From: Sam Roberts

References:
- [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
  - From: Sam Roberts

Prev by Date: Re: [Wireshark-users] how to display h.460.19 related values?
Next by Date: Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
Previous by thread: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
Next by thread: Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
Index(es):
- Date
- Thread