Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message
From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Mar 2010 20:19:22 -0400
Martin

Thanks for the input. Our software flows over tactical wireless networks where the links are broken all the time.

But my question is...if I followed all the wireshark coding standards (i.e. tvb_get_guint8(tvb, offset); proto_tree_add_item(sub_tree, xxx ,tvb , offset, 1, FALSE); etc etc etc ....)

Then shouldn't my dissector automatically handle the "packet size limited during capture" problem that I am having..??

If not... than how would one prepare the code to handle these corrupted or truncated packets..??

Any help is greatly appreciated.

Thanks,
Brian



Martin Visser wrote:
Any dissector needs to be validate it's input and make sure it doesn't make errant conclusions on what is presented.

For example many protocols have fields that indicate lengths of data within the frame. However any dissector needs to make sure that it doesn't just believe those fields as being correct. A bad h@x0r might change those fields beyond what the protocol intended either to crash the real application or even wireshark. Also packets might get unintentionally corrupted or truncated with similar consequences. (Broken links, routers, VPNs can all do this). Wireshark dissectors need to be resilient to this.

Finally Wireshark (and tcpdump) have always had the ability to only capture a truncated packet (mainly to limit resources required during packet capture). A dissector also needs to cope with this.
Regards, Martin

MartinVisser99@xxxxxxxxx <mailto:MartinVisser99@xxxxxxxxx>


On Wed, Mar 24, 2010 at 2:42 AM, Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx <mailto:oleksab@xxxxxxxxxxxxxxxxxxxxxx>> wrote:

    Chris

    I will have to look into why my dissector is crashing when I get
    the Packet Size Limited during capture message.

    I am an employee of Dark Corner Software. I am writing the
    dissector for our clients that use our software.

    I have fixed the license issue. Attached is the latest updated
    file that I am still working on.

    We have open source software and closed source software. I am
    trying to get the open source dissector submitted through
    wireshark so it can become a part of the wireshark distribution
    (this is the attached copy).

    Our closed source software is for our customers only. I have
    written a dissector for our closed source software for the client.
    This is where I am getting the "Packet Size limited during capture
    " message from.


    Thanks,
    Brian



    Maynard, Chris wrote:

        As Jakub pointed out, regardless of the snaplen, if Wireshark
        is crashing, then the bug is in the dissector, although IMO
        the biggest bug in the dissector is still the incompatible
        license.

        Brian, please carefully read
        http://www.gnu.org/licenses/gpl-faq.html#GPLModuleLicense

        Gerald et al, consider this e-mail as a report of a violation
        of the GPL per
        http://www.gnu.org/licenses/gpl-faq.html#ReportingViolation

        So until the dissector is properly licensed, I suggest
        contacting these folks for support on this dissector:
        http://www.darkcornersoftware.com/contact.html

        - Chris

        -----Original Message-----
        From: wireshark-dev-bounces@xxxxxxxxxxxxx
        <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>
        [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
        <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>] On Behalf Of
        Mike Morrin
        Sent: Tuesday, March 23, 2010 9:02 AM
        To: Developer support list for Wireshark
        Subject: Re: [Wireshark-dev] Packet Size limited during
        capture message


        -----Original Message-----
        From: wireshark-dev-bounces@xxxxxxxxxxxxx
        <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>
        [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
        <mailto:wireshark-dev-bounces@xxxxxxxxxxxxx>] On Behalf Of
        Brian Oleksa
        Sent: 23 March 2010 12:23
        To: Developer support list for Wireshark
        Subject: Re: [Wireshark-dev] Packet Size limited during
        capture message

        Chris

        I just found out that this was captured using tshark.....but
        nobody knows what the snaplen was.

        So my questions is....   My code is working correctly
        then....And that this was just a bad judgment of the wrong
        snaplen......correct..??

        Thanks,
        Brian

        --------------------------------------------------------------------
        It is possible for a dissector bug to throw this exception
        even with a
        perfectly captured packet, see Bug 2855 for example.







        This message contains confidential information and may be
        privileged. If you are not the intended recipient, please
        notify the sender and delete the message immediately.

        ip.access Ltd, registration number 3400157, Building 2020,
        Cambourne Business Park, Cambourne, Cambridge CB23 6DW, United
        Kingdom
        ___________________________________________________________________________
        Sent via:    Wireshark-dev mailing list
        <wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>>
        Archives:    http://www.wireshark.org/lists/wireshark-dev
        Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
                    mailto:wireshark-dev-request@xxxxxxxxxxxxx
        <mailto:wireshark-dev-request@xxxxxxxxxxxxx>?subject=unsubscribe
        CONFIDENTIALITY NOTICE: The contents of this email are
        confidential
        and for the exclusive use of the intended recipient. If you
        receive this
        email in error, please delete it from your system immediately
        and notify us either by email, telephone or fax. You should
        not copy,
        forward, or otherwise disclose the content of the email.

        ___________________________________________________________________________
        Sent via:    Wireshark-dev mailing list
        <wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>>
        Archives:    http://www.wireshark.org/lists/wireshark-dev
        Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
                    mailto:wireshark-dev-request@xxxxxxxxxxxxx
        <mailto:wireshark-dev-request@xxxxxxxxxxxxx>?subject=unsubscribe

    ___________________________________________________________________________
    Sent via:    Wireshark-dev mailing list
    <wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>>
    Archives:    http://www.wireshark.org/lists/wireshark-dev
    Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
                mailto:wireshark-dev-request@xxxxxxxxxxxxx
    <mailto:wireshark-dev-request@xxxxxxxxxxxxx>?subject=unsubscribe


------------------------------------------------------------------------

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe