On Wed, Nov 23, 2011 at 5:06 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> On Nov 23, 2011, at 4:16 PM, Sam Roberts wrote:
>> See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.
>>
>> Seems to me it should be checking this (untested):
>>
>> if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!
>
> There is no guarantee that wth->snapshot_length is non-zero, given that not all capture file formats Wireshark supports put an explicit snapshot length into the file.
If wth->snapshot_length is zero, assuming it's WTAP_MAX_PACKET_SIZE
would make a lot of sense, and I can see some kind of upper max on
memory usage, but 65K is a pretty small chunk of memory nowadays.
Arguably, we are abusing the pcap format, but we really want to record
sequences of large packets in pcap format, for ease of dissection and
working with. I was hoping there would be a LINK_TCP for raw TCP data,
but in the absence, we are encapsulating the data in fake TCP/IP/ETH
headers, and the end result is sometimes over 0xffff by the size of
the encapsulation. If the WTAP max was 66000 even, we'd be good!
Cheers,
Sam
