Wireshark-dev: [Wireshark-dev] "File has packet larger than file's snapshot length." warnings
From: "Turney, Cal" <cal.turney@xxxxxxx>
Date: Wed, 10 Jul 2013 13:09:41 -0400

Hi,

 

The patch for Bug 8808 causes a console warning to be displayed if the snaplen (wth->snapshot_length) in the global header of the capture file does not match the packet size (hdr->hdr.incl_len).  We are seeing thousands of "File has packet larger than file's snapshot length." warnings because of a bug in our company's hybrid tcpdump app used for capturing traffic directly on the customer's NAS equipment.  The snaplen option of the app is functional but it hard-codes a snaplen of 1516 in the global header.  This bug has been around for at least five years and possibly forever. 

 

Just curious.  Does anyone know of an app that uses or pays attention to the global snaplen value?  Wireshark prior to r49999, UN!X tcpdump, and MS Netmon do not.  They compare the packet size to the original length of the packet (in Wireshark:  tvb_length(tvb) and tvb_reported_length(tvb)).

 

The bug in our code will be fixed but our customers are very slow to upgrade their software so we will continue to see these warnings for at least two years.  Would anyone object to my adding an option in Preferences>Protocols>Frame to ignore these mismatches but set the default to NOT ignore them?        

 

Thanks,

Cal