Wireshark · Wireshark-dev: Re: [Wireshark-dev] Fragmented, truncated packets

Wireshark-dev: Re: [Wireshark-dev] Fragmented, truncated packets

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Thu, 1 Sep 2011 21:53:07 -0700

On Sep 1, 2011, at 1:09 PM, Glenn Matthews wrote:

> I'm working on a new dissector for a TCP-based protocol. I think I've got the dissector successfully handling fragmented packets (using tcp_dissect_pdus), and I think I've got the dissector successfully handling truncated packets ("packet size limited during capture") but what do I need to do for captures where both apply?

Add support for reassembly of cut-off-by-the-snaplen packets to Wireshark.

I.e.:

> Is this a known limitation in Wireshark,

Yes.

It might be possible to remove that limitation, but it'd probably be tricky.  I'd suggest using "-s 0" as the argument to tcpdump when capturing (the "96" sounds suspiciously like the default snapshot length for IPv6-capable tcpdump until the recent changes to default to 65535, that being what you get with "-s 0" in tcpdumps from the past N years for some value of N).

References:
- [Wireshark-dev] Fragmented, truncated packets
  - From: Glenn Matthews

Prev by Date: [Wireshark-dev] Is there any need for wtap_get_bytes_dumped() or wtap_set_bytes_dumped()?
Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on OSX-10.6-x64
Previous by thread: [Wireshark-dev] Fragmented, truncated packets
Next by thread: [Wireshark-dev] buildbot failure in Wireshark (development) on OSX-10.6-x64
Index(es):
- Date
- Thread