ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 12167] "total block length ... is too large" error when op

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 24 Feb 2016 22:01:15 +0000

Comment # 3 on bug 12167 from 
(In reply to Ondrej Holecek from comment #2)
> (In reply to Guy Harris from comment #1)
> > Did you try it with a file constructed by concatenating a big-endian pcapng
> > file and a little-endian pcapng file?  Nothing in the pcapng spec requires
> > that all sections have the same byte order.
> 
> I can try it tomorrow if you mean it seriously,

I mean "seriously" as in "you should try it before assuming it Just Works".

> however I don't understand
> why this particular thing shouldn't work - if this bug is fixed correctly,
> the code learns the endianness from the beginning of each SHB.

"Correctly" here would then have to mean "replace the byte_swapped,
version_major, version_minor, and interfaces members of a pcapng_t with a data
structure that keeps track of the beginning offsets of each section in the
file, giving, for each section, a major and minor version number, byte order
indication, a list of interfaces, and name resolution information".

> > Make sure it works with Wireshark, too - and doesn't get confused by the
> > resetting of the interface list in the second section.
> 
> I have a capture [happy? :)] containing 20000 packets where each SHB has 100
> packets max and it seems to work well in tshark and wireshark - all packets
> are displayed, filtered packets from different sections are shown, etc.

If, for example, you have a file with the first section having interfaces "en0"
and "en1", and the second section having interfaces "eth0" and "eth1", does it
report, in the "Frame" section for packets in the first section, "en0" or "en1"
as the interface on which the packets arrived and, in the "Frame" section for
packets in the second section, "eth0" and "eth1" as the interface on which the
packets arrived?

And what does it show in the interface list in Wireshark if you do Statistics
-> Capture File Properties?  Does it show all the interfaces - "en0", "en1",
"eth0", and "eth1" - or does it show multiple sections, the first with "en0"
and "en1" and the second with "eth0" and "eth1"?

I.e., there's a significant amount of work that would need to be done to
support multiple sections; it's *not* a trivial change.  It's worth doing at
some point, but it's not as if you can just change a few lines of code and
it'll Just Work.

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube