Wireshark-dev: Re: [Wireshark-dev] tvb parameter
From: prashanth joshi <[email protected]>
Date: Thu, 9 Nov 2006 15:41:09 -0800 (PST)
Hi Harris,
Thanks for the Reply.
The code I have written uses the existing features of ethereal. My code starts after the Data Record format and format verion are parsed in the data_record_transfer_request ( ). And from there I call my function to parse the further things. The ethereal version we are using is an older one (2005). When we run the ethereal without our code the trace file is correctly parsed. Only when we run ethereal with our added code the error occurs. We are currently running ethereal on Linux.  I feel the capture was done at San Jose , CISCO. 
I have one doubt. The code even though may be faulty, affects only the current packet. When the control shifts from the GTP to the ethereal the old tvb of GTP will be discarded and if there is a new GTP packet, then a new tvb will be allocated and given to the GTP. In that case how the other packets are affected I am unable to understand.
Regards,
Prashanth.  

Guy Harris <[email protected]> wrote:

On Nov 9, 2006, at 1:41 PM, prashanth joshi wrote:

> We have written parsing code for the "Data Record Transfer Request".
> The code wroks fine for some of the trace files we have. But for one
> trace file which has captured GTP packets over UDP our code is not
> working correct. If we run ethereal without our code addition it
> shows around 560 packets. However if we run the ethereal with our
> code addition the following error message shows up:
>
> " The capture file appears to be damaged or corrupt.
> (pcap: File has 3858759680-byte packet, bigger than maximum of
> 65535) "
>
> And there is an option "OK". If we click on that then we do get the
> ethereal display , but now only 466 packets are shown.
> Please any one tell me the reason behind this.

The reason behind this is that the capture file appears to be damaged
or corrupt; that's why the error message says "The capture file
appears to be damaged or corrupt."

That error will not occur as a result of problems in packet dissector
code unless that code overwrites some data structure for the Wiretap
library.

Did you build a separate version of Wireshark with your changes? Is
the version without your code just a standard distribution, or is it
something you built from the same source tree using the same build
process as the version with your changes, so the only difference is
your changes? If not, what happens if you back out your changes,
rebuild Wireshark, and try reading that file with that version?

On what operating system are you running Wireshark?

What version are you running?

Is the capture file gzipped?

Where was the capture done?

_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev


Everyone is raving about the all-new Yahoo! Mail beta.