Wireshark · Wireshark-dev: Re: [Wireshark-dev] "File has packet larger than file's snapshot length." warnings

Wireshark-dev: Re: [Wireshark-dev] "File has packet larger than file's snapshot length." warnin

From: "Turney, Cal" <cal.turney@xxxxxxx>

Date: Sun, 14 Jul 2013 20:26:42 -0400

>> It is on Ethernet jumbo-capable Intel, Broadcom, and some others.  It looks like the original tcpdump developer hard-coded 1516 when he probably meant 1514.

>So jumbo frames appear to be larger than the snapshot length?

The warnings are triggered by jumbo frames and LSO frames:  any packet greater than 1516 bytes in length.

>> Are you saying that rather than adding an option to ignore snapshot_length/packet size discrepancies it might be best to not generate these warnings?

>Yes.  I.e., it might be best to just hardwire in the "ignore those discrepancies" option.

OK.  I'll submit a patch that adds the option "Do NOT issue a warning if the packet size exceeds the snapshot length in the capture header." in Preferences>Protocols>Frame and set the default to not issue a warning (checkmark set).  If unchecked, the warning will be "pcap: <n>-byte packet exceeds snapshot length of <n>." rather than "pcap: File has packet larger than file's snapshot length."    

Thanks.

Follow-Ups:
- Re: [Wireshark-dev] "File has packet larger than file's snapshot length." warnings
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Reassembly code not working after change to use tvbuffs
Next by Date: Re: [Wireshark-dev] Reassembly code not working after change to use tvbuffs
Previous by thread: Re: [Wireshark-dev] Reassembly code not working after change to use tvbuffs
Next by thread: Re: [Wireshark-dev] "File has packet larger than file's snapshot length." warnings
Index(es):
- Date
- Thread