Re: Packet Size limited during capture message

[Brian Oleksa <oleksab () darkcornersoftware com>]

Chris

All I did was create this dissector. All of the customers (whom are 
running our software) use this dissector that I created. The customer 
has captured 1000's of packets using this dissector with no problem.

They sent me this .pcap file and told me that it crashes.... and I 
noticed the "Packet Size limited during capture" message. So I have no 
idea what program they used to capture the packets and what the
value of snaplen was.

Generally...if they want to take a snap shot of what is on the 
network... they just open up wireshark (most customers have winXp 
boxes)...let it run for a little bit... then do a stop and save as .pcap.
But when they tried to play back this .pcap file it crashes.

Is there anything else I can do..??

So I guess what you are saying is that my code is working 
properly....but the packet was too big ...so it truncated the packet 
(because the snaplen was too small) therefore making the code crash 
because it was expecting a "end of packet code"... which it never got 
because it was truncated..?? Is my assumption correct..??

Thanks,
Brian



Maynard, Chris wrote:
> "Packet Size limited during capture" tells me that the packet was bigger than the snaplen set, so the packet was 
> truncated when captured.  In Wireshark, the snaplen is set in the capture options dialog using the "Limit each packet 
> to ___ bytes" option, and with dumpcap, tshark and tcpdump it is set via the "-s <snaplen>" option.  If not 
> specified, tcpdump uses a default snaplen of 68 (or 96, depending on the platform).  Which program did you use to 
> capture the packets and what was the value of the snaplen vs. what was the expected number of bytes for the packet in 
> question?
>
> Too bad the snaplen information isn't available through capinfos, but you can find out the snaplen via Wireshark's 
> Statistics -> Summary window, listed as "Packet size limit".
>
> - Chris
>
> -----Original Message-----
> From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Mike Morrin
> Sent: Monday, March 22, 2010 2:59 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] Packet Size limited during capture message
>
>
> When I run a pcap file with my dissector in place wireshark crashes 
> (win32.dll error).
>
> But I was able to run the pcap file and stop the loading process before 
> it crashed and one thing that I noticed
> was in the info column it said "Packet Size limited during capture".
>
> I never saw this before...does anybody know what this means..?? Could 
> this be why it was crashing..??
>
> MM- I have seen "Packet Size limited during capture" due to a bug where
> a dissector assumed that a PDU always had a data segment at the end, but
> occasionally one didn't.  That would not directly cause your crash, you
> probably have 2 bugs.
>
> Try running with a breakpoint in do_throw() (around line 182 in except
> .c), on a trace that has only the packet(s) that cause the problem.
>
>
>
> CONFIDENTIALITY NOTICE: The contents of this email are confidential
> and for the exclusive use of the intended recipient. If you receive this
> email in error, please delete it from your system immediately and 
> notify us either by email, telephone or fax. You should not copy,
> forward, or otherwise disclose the content of the email.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
>   
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe