| Bug ID |
12167
|
| Summary |
"total block length ... is too large" error when opening pcapng file with multiple SHB sections
|
| Product |
Wireshark
|
| Version |
2.0.1
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Minor
|
| Priority |
Low
|
| Component |
Capture file support (libwiretap)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
TShark (Wireshark) 2.0.1 (SVN Rev Unknown from unknown)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.7, with GLib 2.32.4, with SMI 0.4.8, with c-ares 1.9.1, with Lua
5.2, with GnuTLS 2.12.20, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.
Running on Linux 3.2.0-4-amd64, with locale en_US.UTF-8, with libpcap version
1.3.0, with libz 1.2.7, with GnuTLS 2.12.20, with Gcrypt 1.5.0.
Intel(R) Core(TM) i5-3340M CPU @ 2.70GHz (with SSE4.2)
Built using gcc 4.7.2.
--
Currently multi-section PCAPng files are not supported and Wireshark is
supposed to write an excuse when opening such file. This does not work
correctly when the file is in big endian encoding.
The reason is "wiretap/pcapng.c": "pn->byte_swapped" flag is set to TRUE in
"pcapng_read_section_header_block" if "shb.magic" is 0x4D3C2B1A (which
signalizes the big endian encoding). Besides setting the flag, the same
function translates variables "bh->block_total_length", "pn->version_major",
pn->version_minor" from big to little endian. So far so good.
However, when "pn->byte_swapped" is TRUE, the superior function
"pcapng_read_block" also translates "bh.block_total_length" of each block it
reads. For the first SHB it is fine (because "pn->byte_swapped" is FALSE at the
beginning and translated only by "pcapng_read_section_header_block") but every
further SHB is translated twice: first time from big to small by
"pcapng_read_block" and immediately again, from small to big, by
"pcapng_read_section_header_block".
The result is that the library reports a block size error on the second SHB
instead of the excuse that this is not supported. Adding "if (pn->byte_swapped
== TRUE) break;" line after "case(0x4D3C2B1A):" resolves the issue.
Additionally - is there any reason why not to support multi SHB pcaps? It seems
to work good when I remove the code that forbids that (I haven't done any big
tests though).
You are receiving this mail because:
- You are watching all bug changes.
