Wireshark-dev: Re: [Wireshark-dev] the feature of limiting packet size
From: "Joshua (Shiwei) Zhao" <swzhao@xxxxxxxxx>
Date: Mon, 20 Jul 2009 15:41:21 -0700
I believe it's a bug there, at least in 1.0.4 I'm using.
I don't believe all packets have that big headers over 500 bytes. The code must checked the whole data payload size, instead of only checking the header length when it tries to dissect and throw an execption.
I'll try to debug. Meanwhile any hints/suggestions are welcome.
 
Thanks,
Joshua

On Sat, Jul 18, 2009 at 1:07 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jul 17, 2009, at 10:21 PM, Joshua (Shiwei) Zhao wrote:

> I did try to set the limit to big value, such as 200 or even 400
> bytes, but it still fails.

For *any* network, including Ethernet, the only way to be *guaranteed*
not to get *any* "Packet size limited during captures" exceptions is
to set the limit to a value greater than or equal to the MTU on the
network plus the largest possible link-layer header - and bear in mind
that, if you're capturing with radio headers, "the link-layer header"
includes the radio information, so "the largest possible link-layer
header" means "the largest possible {radiotap,AVS,Prism} header
followed by the largest possible 802.11 header".

And, again, as I said, "it will throw an exception if the packet was
bigger than XX bytes and Wireshark tries to dissect all the bytes in
the packet" - it could well be that all 400 bytes are stuff that
Wireshark will dissect.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe