Wireshark-dev: Re: [Wireshark-dev] pcap with packet size >64k ?
From: Reinhard Speyerer <[email protected]>
Date: Wed, 09 Jan 2008 22:15:04 +0100
warlord wrote:
> Good idea Ulf. I attached a small pcap which includes a hostname request
> sent to the nameserver. As I took the liberty to hexedit the IP
> addresses the checksum is wrong, but that doesn't matter.
> 
> The two size fields in the pcap are 32 bits each, claiming the packet
> size was 4b 00 01 00(0x0001004b), which is 65611. When wireshark loads
> this pcap it complains about a packet size >65535.

The solution proposed by Márton Németh works for me when I make sure that
the appropriate shared libraries are used, e.g. by using:

$ perl -pi.bak -e 's/(#define.*WTAP_MAX_PACKET_SIZE).*/\1 262143/' wiretap/wtap.h
$ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/ LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ ./configure --prefix=/usr/local/wireshark-xxl
$ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/ LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ make
$ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/ LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ make install
$ tshark -r /tmp/test2.pcap 
tshark: "/tmp/test2.pcap" appears to be damaged or corrupt.
(pcap: File has 65611-byte packet, bigger than maximum of 65535)
$ /usr/local/wireshark-xxl/bin/tshark -r /tmp/test2.pcap
tshark: "/tmp/test2.pcap" appears to have been cut short in the middle of a packet.

Regards,
Reinhard