Wireshark · Ethereal-dev: Re: [Ethereal-dev] pcap: file has %u-byte packet, bigger than maximumof %u - On mac OS X

[Philippe legay <phlegay@xxxxxxx>]

Problem Description

Install Fink on Mac G5 (Mac OS X 10.3.8 - fink 0.7.1 - gcc 20030304 v 3.3)
Compile ethereal : Compilation is OK, and binary is OK.

Install Fink on Mac G4 (Mac OS X 10.3.8 - fink 0.7.1 - gcc 20030304 v 3.3)
Compile ethereal : Compilation is OK, and binary is KO. So I ask Fink to keep the working folders, in order to be able to debug and compile ethereal. So, I added some "fprintf(stderr," into ethereal and I could compile and launched my ethereal. So  I saw my debug statements.

The bug is :
The error is : wiretap/libpcap.c : g_strdup_print("pcap: file has %u-byte packet, bigger than maximum of %u", hdr->hdr.incl_len,WTAP_PACKET_SIZE) ; In fact the bad value is not a constant, but seems to a time stamp. The capture is a single UDP packet ! If I stopped ethereal capture without any packet, the error message is "the packet seems to cut in the middle".

Debugging :
Thanks to the list, i know that the problem was a reading problem. I decide to analyze a simple file : One UDP packet.

a1b2c3d4        00020004        00000000        00000000
0000ffff        00000001        4238c842        0000d028
00000042        00000042        ffffffff        ffff0004
e2a672c4        08004500        003400fb        00004011
f36dc0a8        0201c0a8        02ff0208        02080020
b18f0202        00000002        0000c0a8        0200ffff
ff000000        00000000        00100000

wiretap/libpcap.c/libpcap_open :
 file_read of magic : OK
 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
 00020004 00000000 00000000 0000ffff 00000001
 So my capture version is 2.4, size of packet 65535 (see
 wiretap/libpcap.h)
 call libpcap_try (where wth->file_type = WTAP_FILE_PCAP)
wiretap/libpcap.c/libpcap_try :
 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1)
  Where offset is 4
wiretap/libpcap.c/libpcap_read_header
 bytes_to_read = sizeof (struct pcaprec_hdr);
  file_read of :
 4238c842 0000d028 00000042 00000042
 With the 2 timestamps and the length of the packet. Both sanity checks   are OK
go back into wiretap/libpcap.c/libpcap_try :
 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
            The idea is to jump over the first packet (the value of 0x42 is right).
Now into wiretap/libpcap.c/libpcap_try :
 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1)
wiretap/libpcap.c/libpcap_read_header
 bytes_to_read = sizeof (struct pcaprec_hdr);
 file_read of :
 a1b2c3d4 00020004 00000000 00000000

BIG BUG !?
 Why does ethereal read at the beginning of the file, not a the correct position ? No idea (and of course no source of the dynamic library libz.dylib*)

How to solve the problem :
I try different ideas. But I succeed only in :
 

• Compile ethereal on Mac G4 without libz (read the readme.macos to solve some compilation bugs).
• Get from Internet the zlib2.2.

Try to compile it : failure : The _uncompress entry is not found by the link editor.
• So, in the Makefile folder :

REF=/Volumes/SBootexg/zlib-1.2.2/
cp $REF/uncompr.o   .
cp $REF/inflate.o   .
cp $REF/crc32.o     .
cp $REF/adler32.o   .
cp $REF/zutil.o     .
cp $REF/inftrees.o  .
cp $REF/inffast.o   .

And then patch the makefile (that was deleted by ./configure)

# patch PHL pour Mac OS X
PHL_ZLIB = uncompr.o inflate.o crc32.o adler32.o zutil.o inftrees.o inffast.o

And also modify :
ethereal$(EXEEXT): $(ethereal_OBJECTS) $(ethereal_DEPENDENCIES)
        @rm -f ethereal$(EXEEXT)
        $(LINK) $(ethereal_LDFLAGS) $(ethereal_OBJECTS) $(PHL_ZLIB) $(ethereal_LDADD) $(LIBS)
and
tethereal$(EXEEXT): $(tethereal_OBJECTS) $(tethereal_DEPENDENCIES)
        @rm -f tethereal$(EXEEXT)
        $(LINK) $(tethereal_LDFLAGS) $(tethereal_OBJECTS) $(PHL_ZLIB) $(tethereal_LDADD) $(LIBS)

Now you get a binary ethereal that is running on the Mac G4 !

Thanks.

* do not touch this library ! If you suppress it, you can't fork any new terminal (X or AQUA), new shells.