Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12586] New: Error reading an externally generated CAP

Wireshark-bugs: [Wireshark-bugs] [Bug 12586] New: Error reading an externally generated CAP

Date: Wed, 06 Jul 2016 10:33:06 +0000

Bug ID	12586
Summary	Error reading an externally generated CAP
Product	Wireshark
Version	2.0.4
Hardware	x86-64
OS	Windows 10
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Capture file support (libwiretap)
Assignee	bugzilla-admin@wireshark.org
Reporter	raffaeler@vevy.com

Created attachment 14704 [details]
A capture file generated externally

Build Information:
Wireshark 2.0.4 (v2.0.4-0-gdd7746e from master-2.0)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.11.0, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 10, build 10586, with locale C, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap.
Intel(R) Core(TM) i7 CPU         860  @ 2.80GHz (with SSE4.2), with 1370MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 40629

--
The attached file is generated from an external tool.
Most of the time, this is read correctly from Wireshark. Sometimes wireshark
2.0.4 show this dialog:
----
The capture file appears to be damaged or corrupt.
(pcap: File has 8323072-byte packet, bigger than maximum of 262144)
----

If I open the *same* file under 1.12.8, the file works perfectly.

* Important note:
Some of the CAP packet headers are generated with an "incl_len" greater than
"orig_len". The tool who generated the file use the extra space to store
information that are not part of the network traffic (and that will NOT be
shown by wireshark).
According to the CAP specification this should not cause problems at all.

* Important note2:
In order to verify the tool is not doing something wrong, I printed the hex
file on paper and verified by hand every single CAP header length and they are
correct.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Regular pcap file with caplen > len in some packets not recognized as such
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12586] Regular pcap file with caplen > len in some packets not recognized as such
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12570] configure script doesn't warn about missing lrelease Qt dependency
Next by Date: [Wireshark-bugs] [Bug 12587] New: Accessing the various pcapng blocks informations
Previous by thread: [Wireshark-bugs] [Bug 12585] Truncated capture file when application is closed during save.
Next by thread: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
Index(es):
- Date
- Thread