Guy Harris wrote:
Andrew Schweitzer wrote:
Thanks.
In a packet that gets a BoundsError, what are the captured length and
(actual) length in the "Frame" section of the packet detail pane?
hm.... it seemed like it captured a full ethernet packet.
1514, if I understand you:
Frame 1 (1514 bytes on wire, 1514 bytes captured)
Packet Length: 1514 bytes
Capture Length: 1514 bytes
My protocol packet would wrap to the next ethernet packet, but this
packet reports the error, and the next packet starts at zero, parsing
incorrectly because it's actually in the middle of a packet.
If the captured length is less than the actual length, that's because
the snapshot length used when the capture was made was less than the
actual size of the link-layer packet on the wire; that means that not
all data in the link-layer packet is available in the capture.
If that's the case, then:
Is there something I can do to fix it?
Either in code or in settings?
...you fix it by increasing the snapshot length. The default snapshot
length in Wireshark and Tshark is 65535, which should be big enough for
any link-layer packet; however, the default snapshot length in tcpdump
is 68 bytes (for tcpdump built without IPv6 support) or 96 bytes 9for
tcpdump built with IPv6 support), and you need to use the "-s" flag
(with the argument 0, unless it's a really old tcpdump, in which case
you need the argument 65535) to increase the snapshot length.
hm... my length is less than 2k, definitely not 65535. Any idea what's
going on?
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
