Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message

From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Mar 2010 20:40:32 -0400
Guy

The snaplen was set to 150 when using tshark.
I see a Frame that says (for example): Frame 7 (341 bytes on wire, 150 bytes captured).

But looking at the detailed view of this packet... it actually looks good until you get to the end... it is truncated.

And NO... the pcap file doesn't crash when the dissector is removed. I can load about 70% of it and hit stop....but
if I let it go any further it will crash wireshark.

Like I said in my email to martin.... if I followed all the wireshark coding standards... shouldn't the code handle this..??

What should be my next step..??

Thanks for your help

Brian



Guy Harris wrote:
On Mar 21, 2010, at 9:14 PM, Brian Oleksa wrote:

But I was able to run the pcap file and stop the loading process before it crashed and one thing that I noticed
was in the info column it said "Packet Size limited during capture".

In the detail view for the packet that has "Packet Size limited during capture", the topmost line ("Frame {N}") should say "{N} bytes on wire, {M} bytes captured" (it might also give some numbers of bits).  Is {N} greater than {M}?  If so, that's the problem - the packets were captured with a snapshot length specified, so that at most the first {M} bytes of the packet were saved to the file.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe