Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message
From: Brian Oleksa <[email protected]>
Date: Tue, 23 Mar 2010 20:40:32 -0400

The snaplen was set to 150 when using tshark.
I see a Frame that says (for example): Frame 7 (341 bytes on wire, 150 bytes captured).
But looking at the detailed view of this packet...  it actually looks 
good until you get to the end... it is truncated.
And NO... the pcap file doesn't crash when the dissector is removed. I 
can load about 70% of it and hit stop....but
if I let it go any further it will crash wireshark.

Like I said in my email to martin.... if I followed all the wireshark coding standards... shouldn't the code handle this..??
What should be my next step..??

Thanks for your help


Guy Harris wrote:
On Mar 21, 2010, at 9:14 PM, Brian Oleksa wrote:

But I was able to run the pcap file and stop the loading process before it crashed and one thing that I noticed
was in the info column it said "Packet Size limited during capture".
In the detail view for the packet that has "Packet Size limited during capture", the topmost line ("Frame {N}") should say "{N} bytes on wire, {M} bytes captured" (it might also give some numbers of bits).  Is {N} greater than {M}?  If so, that's the problem - the packets were captured with a snapshot length specified, so that at most the first {M} bytes of the packet were saved to the file.
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe