Wireshark · Wireshark-dev: Re: [Wireshark-dev] pcap with packet size >64k ?

Wireshark-dev: Re: [Wireshark-dev] pcap with packet size >64k ?

Date: Thu, 10 Jan 2008 14:19:43 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Thx for making me retry Reinhard. No idea what I did wrong the first
time, but this time it worked. After changing the variable in wtap.h and
recompiling wireshark, I was able to open pcaps with packet sizes up to
the specified size(for the test: 96k).

Looks like my project could actually work out. Now for the real work....

wrl

P.s.: I didn't change env variables. All I did was edit wtap.h

Reinhard Speyerer wrote:
| warlord wrote:
|> Good idea Ulf. I attached a small pcap which includes a hostname request
|> sent to the nameserver. As I took the liberty to hexedit the IP
|> addresses the checksum is wrong, but that doesn't matter.
|>
|> The two size fields in the pcap are 32 bits each, claiming the packet
|> size was 4b 00 01 00(0x0001004b), which is 65611. When wireshark loads
|> this pcap it complains about a packet size >65535.
|
| The solution proposed by Mï¿½rton Nï¿½meth works for me when I make sure that
| the appropriate shared libraries are used, e.g. by using:
|
| $ perl -pi.bak -e 's/(#define.*WTAP_MAX_PACKET_SIZE).*/\1 262143/'
wiretap/wtap.h
| $ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/
LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ ./configure
- --prefix=/usr/local/wireshark-xxl
| $ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/
LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ make
| $ env LD_LIBRARY_PATH=/usr/local/wireshark-xxl/lib/
LD_RUN_PATH=/usr/local/wireshark-xxl/lib/ make install
| $ tshark -r /tmp/test2.pcap
| tshark: "/tmp/test2.pcap" appears to be damaged or corrupt.
| (pcap: File has 65611-byte packet, bigger than maximum of 65535)
| $ /usr/local/wireshark-xxl/bin/tshark -r /tmp/test2.pcap
| tshark: "/tmp/test2.pcap" appears to have been cut short in the middle
of a packet.
|
| Regards,
| Reinhard
|
| _______________________________________________
| Wireshark-dev mailing list
| Wireshark-dev@xxxxxxxxxxxxx
| http://www.wireshark.org/mailman/listinfo/wireshark-dev


- --
dreaming in digital - living in realtime - thinking in binary - talking
in IP - welcome to our world

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhhtL9A36oltxjVQRA8bLAJ9hzuCdhCke+XcSt7BLkgLDTrxuTgCfWjBD
Bi6qAVzaLJwGjQDeRPJ4508=
=RlJf
-----END PGP SIGNATURE-----

References:
- [Wireshark-dev] pcap with packet size >64k ?
  - From: warlord
- Re: [Wireshark-dev] pcap with packet size >64k ?
  - From: Németh Márton
- Re: [Wireshark-dev] pcap with packet size >64k ?
  - From: warlord
- Re: [Wireshark-dev] pcap with packet size >64k ?
  - From: Ulf Lamping
- Re: [Wireshark-dev] pcap with packet size >64k ?
  - From: warlord
- Re: [Wireshark-dev] pcap with packet size >64k ?
  - From: Reinhard Speyerer

Prev by Date: [Wireshark-dev] Install from dmg fail OSX 10.4.11 Wireshark 0.99.5c
Next by Date: [Wireshark-dev] Ubuntu buildbot looks unhappy
Previous by thread: Re: [Wireshark-dev] pcap with packet size >64k ?
Next by thread: [Wireshark-dev] 3GPP RLC and MAC protocols support
Index(es):
- Date
- Thread