Wireshark mailing list archives

Re: Wireshark / TShark Record Length: Stops Display

From: Guy Harris <guy () alum mit edu>
Date: Fri, 11 Aug 2017 10:31:46 -0700

On Aug 11, 2017, at 9:26 AM, Nalini J Elkins <nalini.elkins () insidethestack com> wrote:

I am testing some test code for the new PDM IPv6 Destination Option 
(https://datatracker.ietf.org/doc/draft-ietf-ippm-6man-pdm-option/) which is now in the RFC Editor's queue, so should 
get an RFC number soon!

Anyway, what is happening is that we have a bug in the record length (I suspect!) when there is IP fragmentation.  At 
least, we are trying to fix our issues with an IP fragmentation bug in our code.  The message I get from Wireshark is:

"The capture file appears to be damaged or corrupt. (pcap: File has 172958905-byte packet, bigger than maximum of 
262144)"

I suspect that is an invalid packet that we have created.


No, it's an invalid *file*.  As the message says, "The capture file appears to be damaged or corrupt."

It's not a problem with the packet, it's a problem with the record in the file that *contains* the packet; it claims 
that the packet is 172,958,905 bytes long, but we - and libpcap - limit the maximum packet size to 262,144 bytes, to 
prevent an attempt to read a capture file from allocating a huge chunk of memory from a possibly-damaged file.

How did you create that capture file?

If you created it with a normal capture program, such as tcpdump, TShark, Wireshark, or dumpcap, what version of that 
program was used, and, if the file was transferred between machines, how was it transferred?

If you created it with your own program, did it use its own code to write out the pcap file format, or did it use, for 
example, libpcap to handle the pcap file format?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark / TShark Record Length: Stops Display Nalini J Elkins (Aug 11)
- Re: Wireshark / TShark Record Length: Stops Display Guy Harris (Aug 11)