Re: Packet Size limited during capture message

[Martin Visser <martinvisser99 () gmail com>]

Any dissector needs to be validate it's input and make sure it doesn't make
errant conclusions on what is presented.

For example many protocols have fields that indicate lengths of data within
the frame. However any dissector needs to make sure that it doesn't just
believe those fields as being correct. A bad h@x0r might change those fields
beyond what the protocol intended either to crash the real application or
even wireshark.

Also packets might get unintentionally corrupted or truncated with
similar consequences. (Broken links, routers, VPNs can all do this).
Wireshark dissectors need to be resilient to this.

Finally Wireshark (and tcpdump) have always had the ability to only capture
a truncated packet (mainly to limit resources required during packet
capture). A dissector also needs to cope with this.

Regards, Martin

MartinVisser99 () gmail com


On Wed, Mar 24, 2010 at 2:42 AM, Brian Oleksa <
oleksab () darkcornersoftware com> wrote:

> Chris
>
> I will have to look into why my dissector is crashing when I get the Packet
> Size Limited during capture message.
>
> I am an employee of Dark Corner Software. I am writing the dissector for
> our clients that use our software.
>
> I have fixed the license issue. Attached is the latest updated file that I
> am still working on.
>
> We have open source software and closed source software. I am trying to get
> the open source dissector submitted through wireshark so it can become a
> part of the wireshark distribution (this is the attached copy).
>
> Our closed source software is for our customers only. I have written a
> dissector for our closed source software for the client. This is where I am
> getting the "Packet Size limited during capture " message from.
>
>
> Thanks,
> Brian
>
>
>
> Maynard, Chris wrote:
>
> > As Jakub pointed out, regardless of the snaplen, if Wireshark is crashing,
> > then the bug is in the dissector, although IMO the biggest bug in the
> > dissector is still the incompatible license.
> >
> > Brian, please carefully read
> > http://www.gnu.org/licenses/gpl-faq.html#GPLModuleLicense
> >
> > Gerald et al, consider this e-mail as a report of a violation of the GPL
> > per http://www.gnu.org/licenses/gpl-faq.html#ReportingViolation
> >
> > So until the dissector is properly licensed, I suggest contacting these
> > folks for support on this dissector:
> > http://www.darkcornersoftware.com/contact.html
> >
> > - Chris
> >
> > -----Original Message-----
> > From: wireshark-dev-bounces () wireshark org [mailto:
> > wireshark-dev-bounces () wireshark org] On Behalf Of Mike Morrin
> > Sent: Tuesday, March 23, 2010 9:02 AM
> > To: Developer support list for Wireshark
> > Subject: Re: [Wireshark-dev] Packet Size limited during capture message
> >
> >
> > -----Original Message-----
> > From: wireshark-dev-bounces () wireshark org
> > [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Brian Oleksa
> > Sent: 23 March 2010 12:23
> > To: Developer support list for Wireshark
> > Subject: Re: [Wireshark-dev] Packet Size limited during capture message
> >
> > Chris
> >
> > I just found out that this was captured using tshark.....but nobody knows
> > what the snaplen was.
> >
> > So my questions is....   My code is working correctly then....And that
> > this was just a bad judgment of the wrong snaplen......correct..??
> >
> > Thanks,
> > Brian
> >
> > --------------------------------------------------------------------
> > It is possible for a dissector bug to throw this exception even with a
> > perfectly captured packet, see Bug 2855 for example.
> >
> >
> >
> >
> >
> >
> >
> > This message contains confidential information and may be privileged. If
> > you are not the intended recipient, please notify the sender and delete the
> > message immediately.
> >
> > ip.access Ltd, registration number 3400157, Building 2020, Cambourne
> > Business Park, Cambourne, Cambridge CB23 6DW, United Kingdom
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
> > CONFIDENTIALITY NOTICE: The contents of this email are confidential
> > and for the exclusive use of the intended recipient. If you receive this
> > email in error, please delete it from your system immediately and notify
> > us either by email, telephone or fax. You should not copy,
> > forward, or otherwise disclose the content of the email.
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe