Hello, I began to use tshark as exporter for raw traffic data to pdml format and have a problem: Tshark crashes on several files during export. I run it as tshark.exe -r <raw_traffic_file_path> -n -T pdml -V >out.xml. I’ve received a following error:
Unhandled exception ("emem.c:792: failed assertion "size<((10 * 1024 * 1024)>>2)"", group=1, code=4). After some kind of investigation, I found the problem appears when Tshark is writing (in pdml format) the packet containing field data.data (in any proto node) with size more than 2.5 MB.
Example (I’ve replaced non-important values with …):
<proto name="… ">
<field name="data" value="…">
<field name="data.data" showname="Data:..." size="2754632" pos="…" show="… " value="…"/>
<field name="data.len" showname="Length: 2754632" size="0" pos=”…" show="2754632"/>
</field>
</proto>
How can I fix it? I can use filter to exclude packet with data.len >2.5MB (“(data and data.len < 2500000) or !data”) but that’s not very good solution. It seems tshark analyzes all packets fragments and writes entire data to the first packet in the block. Is there any way to disable that behavior?
Thanks in advance.
With best regards, Alexander
