Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Is snaplen check in editcap.c correct?

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Tue, 19 Jul 2011 12:35:36 +0100
Hi,

I'm using editcap with Catapult DCT2000 log files.  The wiretap module doesn't set wth->snapshot_len, so its coming out as 0.
It was intentionally left as 0, as I thought this corresponded to "we have the whole frame, its not truncated".  Most other wiretap modules seem to do the same.

editcap.c has this test:

        if(phdr->caplen > wtap_snapshot_length(wth)) {
            fprintf(stderr, "Warning: packet %d too big for file type, skipping it...\n", count);
            count++;
            continue;
        }

which will discard any packet which has the snapshot length set to 0.

I'm happily using this test instead, i.e. only do the comparison if its non-zero.

        if((wtap_snapshot_length(wth) != 0) && (phdr->caplen > wtap_snapshot_length(wth))) {
            fprintf(stderr, "Warning: packet %d too big for file type, skipping it...\n", count);
            count++;
            continue;
        }

Would it be correct to check in this change?
Should the wiretap modules set some large value for the snapshot length instead?

Thanks,
Martin