Wireshark · Wireshark-users: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?

Wireshark-users: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet

From: Sam Roberts <vieuxtech@xxxxxxxxx>

Date: Wed, 23 Nov 2011 16:16:11 -0800

See definiton of WTAP_MAX_PACKET_SIZE, and use in wiretap/libpcap.c.

Seems to me it should be checking this (untested):

  if (hdr->hdr.incl_len > wth->snapshot_length) { // not WTAP_MAX_PACKET_SIZE!

Attached file can be read by tcpdump, but wireshark chokes on it.

And yes, the IP and TCP packets are fake/invalid, but the pcap is valid!

Cheers,
Sam

Attachment: _.pcap.zip
Description: Zip archive

Follow-Ups:
- Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
  - From: Guy Harris

Prev by Date: [Wireshark-users] Capturing packets from hight speed switch ports
Next by Date: Re: [Wireshark-users] how to display h.460.19 related values?
Previous by thread: Re: [Wireshark-users] Capturing packets from hight speed switch ports
Next by thread: Re: [Wireshark-users] why does wireshark believe that libpcap has a 65535 max packet size?
Index(es):
- Date
- Thread