Re: pcap file format documentation

[Guy Harris <guy () alum mit edu>]

On Mar 24, 2006, at 1:35 PM, Don Morrison wrote:

> My apologies, what I said was incorrect.  Running the command does not
> crash tcpdump, but the outputfile ("clean.pcap") will crash Ethereal,
> so while both files are clean enough for tcpdump to display and not
> crash, not so for Ethereal.

That doesn't mean that the problem is a result of an incomplete  
record at the end of the file; tcpdump and Ethereal can handle those OK.

The problem is probably a crash in some dissector, due to a bug in  
the dissector.  You should submit that to the Ethereal bugzilla at  
bugs.ethereal.com - preferably with a stack trace.  Note that without  
a stack trace or a capture, it's unlikely that anybody will be able  
to do anything about it - there are 997,557 lines in all the ".c" and  
".h" files in the directory containing Ethereal dissectors (stated as  
such because that counts comments, blank lines, etc.).

If broken.pcap caused a crash or hang in tcpdump (when printing its  
output, not when writing it to a file with "-w"), there might be a  
bug in a tcpdump dissector as well.

Note that the crash might be due to a *non*-truncated packet.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.