Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message
From: "Maynard, Chris" <[email protected]>
Date: Mon, 22 Mar 2010 11:32:07 -0400
"Packet Size limited during capture" tells me that the packet was bigger than the snaplen set, so the packet was truncated when captured.  In Wireshark, the snaplen is set in the capture options dialog using the "Limit each packet to ___ bytes" option, and with dumpcap, tshark and tcpdump it is set via the "-s <snaplen>" option.  If not specified, tcpdump uses a default snaplen of 68 (or 96, depending on the platform).  Which program did you use to capture the packets and what was the value of the snaplen vs. what was the expected number of bytes for the packet in question?

Too bad the snaplen information isn't available through capinfos, but you can find out the snaplen via Wireshark's Statistics -> Summary window, listed as "Packet size limit".

- Chris

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Mike Morrin
Sent: Monday, March 22, 2010 2:59 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packet Size limited during capture message

When I run a pcap file with my dissector in place wireshark crashes 
(win32.dll error).

But I was able to run the pcap file and stop the loading process before 
it crashed and one thing that I noticed
was in the info column it said "Packet Size limited during capture".

I never saw this before...does anybody know what this means..?? Could 
this be why it was crashing..??

MM- I have seen "Packet Size limited during capture" due to a bug where
a dissector assumed that a PDU always had a data segment at the end, but
occasionally one didn't.  That would not directly cause your crash, you
probably have 2 bugs.

Try running with a breakpoint in do_throw() (around line 182 in except
.c), on a trace that has only the packet(s) that cause the problem.

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.