Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Wireshark / TShark Record Length: Stops Display

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 11 Aug 2017 10:31:46 -0700
On Aug 11, 2017, at 9:26 AM, Nalini J Elkins <nalini.elkins@xxxxxxxxxxxxxxxxxx> wrote:

> I am testing some test code for the new PDM IPv6 Destination Option (https://datatracker.ietf.org/doc/draft-ietf-ippm-6man-pdm-option/) which is now in the RFC Editor's queue, so should get an RFC number soon!
> 
> Anyway, what is happening is that we have a bug in the record length (I suspect!) when there is IP fragmentation.  At least, we are trying to fix our issues with an IP fragmentation bug in our code.  The message I get from Wireshark is:
> 
> "The capture file appears to be damaged or corrupt. (pcap: File has 172958905-byte packet, bigger than maximum of 262144)"
> 
> I suspect that is an invalid packet that we have created.

No, it's an invalid *file*.  As the message says, "The capture file appears to be damaged or corrupt."

It's not a problem with the packet, it's a problem with the record in the file that *contains* the packet; it claims that the packet is 172,958,905 bytes long, but we - and libpcap - limit the maximum packet size to 262,144 bytes, to prevent an attempt to read a capture file from allocating a huge chunk of memory from a possibly-damaged file.

How did you create that capture file?

If you created it with a normal capture program, such as tcpdump, TShark, Wireshark, or dumpcap, what version of that program was used, and, if the file was transferred between machines, how was it transferred?

If you created it with your own program, did it use its own code to write out the pcap file format, or did it use, for example, libpcap to handle the pcap file format?