Ethereal-dev: Re: [Ethereal-dev] pcap: file has %u-byte packet, bigger than maximumof %u - On
Problem Description
Install Fink on Mac G5 (Mac OS X 10.3.8 - fink 0.7.1 - gcc 20030304
v 3.3)
Compile ethereal : Compilation is OK, and binary is OK.
Install Fink on Mac G4 (Mac OS X 10.3.8 - fink 0.7.1 - gcc 20030304
v 3.3)
Compile ethereal : Compilation is OK, and binary is KO. So I ask Fink
to keep the working folders, in order to be able to debug and compile ethereal.
So, I added some "fprintf(stderr," into ethereal and I could compile and
launched my ethereal. So I saw my debug statements.
The bug is :
The error is : wiretap/libpcap.c : g_strdup_print("pcap: file has %u-byte
packet, bigger than maximum of %u", hdr->hdr.incl_len,WTAP_PACKET_SIZE)
; In fact the bad value is not a constant, but seems to a time stamp. The
capture is a single UDP packet ! If I stopped ethereal capture without
any packet, the error message is "the packet seems to cut in the middle".
Debugging :
Thanks to the list, i know that the problem was a reading problem.
I decide to analyze a simple file : One UDP packet.
a1b2c3d4 00020004
00000000 00000000
0000ffff 00000001
4238c842 0000d028
00000042 00000042
ffffffff ffff0004
e2a672c4 08004500
003400fb 00004011
f36dc0a8 0201c0a8
02ff0208 02080020
b18f0202 00000002
0000c0a8 0200ffff
ff000000 00000000
00100000
wiretap/libpcap.c/libpcap_open :
file_read of magic : OK
bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
00020004 00000000 00000000 0000ffff 00000001
So my capture version is 2.4, size of packet 65535 (see
wiretap/libpcap.h)
call libpcap_try (where wth->file_type = WTAP_FILE_PCAP)
wiretap/libpcap.c/libpcap_try :
if (libpcap_read_header(wth, err, NULL, &first_rec_hdr)
== -1)
Where offset is 4
wiretap/libpcap.c/libpcap_read_header
bytes_to_read = sizeof (struct pcaprec_hdr);
file_read of :
4238c842 0000d028 00000042 00000042
With the 2 timestamps and the length of the packet. Both
sanity checks are OK
go back into wiretap/libpcap.c/libpcap_try :
if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR,
err) == -1)
The idea is to jump over the first packet (the value of 0x42 is right).
Now into wiretap/libpcap.c/libpcap_try :
if (libpcap_read_header(wth, err, NULL, &second_rec_hdr)
== -1)
wiretap/libpcap.c/libpcap_read_header
bytes_to_read = sizeof (struct pcaprec_hdr);
file_read of :
a1b2c3d4 00020004 00000000 00000000
BIG BUG !?
Why does ethereal read at the beginning of the file, not a the
correct position ? No idea (and of course no source of the dynamic library
libz.dylib*)
How to solve the problem :
I try different ideas. But I succeed only in :
-
Compile ethereal on Mac G4 without libz (read the readme.macos to solve
some compilation bugs).
-
Get from Internet the zlib2.2.
Try to compile it : failure : The _uncompress entry is not found by
the link editor.
-
So, in the Makefile folder :
REF=/Volumes/SBootexg/zlib-1.2.2/
cp $REF/uncompr.o .
cp $REF/inflate.o .
cp $REF/crc32.o .
cp $REF/adler32.o .
cp $REF/zutil.o .
cp $REF/inftrees.o .
cp $REF/inffast.o .
And then patch the makefile (that was deleted by ./configure)
# patch PHL pour Mac OS X
PHL_ZLIB = uncompr.o inflate.o crc32.o adler32.o zutil.o inftrees.o
inffast.o
And also modify :
ethereal$(EXEEXT): $(ethereal_OBJECTS) $(ethereal_DEPENDENCIES)
@rm -f ethereal$(EXEEXT)
$(LINK) $(ethereal_LDFLAGS)
$(ethereal_OBJECTS) $(PHL_ZLIB) $(ethereal_LDADD) $(LIBS)
and
tethereal$(EXEEXT): $(tethereal_OBJECTS) $(tethereal_DEPENDENCIES)
@rm -f tethereal$(EXEEXT)
$(LINK) $(tethereal_LDFLAGS)
$(tethereal_OBJECTS) $(PHL_ZLIB) $(tethereal_LDADD) $(LIBS)
Now you get a binary ethereal that is running on the Mac G4 !
Thanks.
* do not touch this library ! If you suppress it, you can't fork any
new terminal (X or AQUA), new shells.
