Package: tcpdump
Version: 4.9.3-1~deb10u1
Severity: normal
Dear Maintainer,
I tried to display a pcapng capture with `tcpdump -r` but failed
with:
> tcpdump: invalid interface capture length 524288, bigger than maximum of
> 262144
The file is correctly read by wireshark on the same machine.
Versions:
- tcpdump (4.9.3-1~deb10u1):
> tcpdump version 4.9.3
> libpcap version 1.8.1
> OpenSSL 1.1.1d 10 Sep 2019
-wireshark (2.6.8-1.1):
> Compiled (64-bit) with Qt 5.11.3, with libpcap, with POSIX capabilities
(Linux),
> with libnl 3, with GLib 2.58.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares
> 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.7, with Gcrypt 1.8.4, with MIT
Kerberos,
> with MaxMind DB resolver, with nghttp2 1.37.0, with LZ4, with Snappy, with
> libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729.
I reproduced the issue by patching a simple pcapng
(https://wiki.wireshark.org/Development/PcapNg?action=AttachFile&do=get&target=dhcp.pcapng):
diff <(xxd dhcp.pcapng) <(xxd long-snaplen.pcapng)
--- /proc/self/fd/112020-03-20 23:08:57.206212690 +0100
+++ /proc/self/fd/122020-03-20 23:08:57.206212690 +0100
@@ -1,6 +1,6 @@
: 0a0d 0d0a 1c00 4d3c 2b1a 0100 M<+.
0010: 1c00 0100
-0020: 2000 0100 0900 0100 ...
+0020: 2000 0100 0800 0900 0100 ...
0030: 0600 2000 0600 ...
0040: 5c01 83ea 0300 0d8a 3335 \.35
0050: 3a01 3a01 000b :...:...
tcpdump -r <(cat long-snaplen.pcapng)
tcpdump: invalid interface capture length 524288, bigger than maximum of 262144
tcpdump -r <(cat dhcp.pcapng)
reading from file /proc/self/fd/11, link-type EN10MB (Ethernet)
20:16:24.317453 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:0b:82:01:fc:42 (oui Unknown), length 272
[…]
Googling returned this issue (https://github.com/the-tcpdump-
group/libpcap/issues/527)
and this patch (https://github.com/the-tcpdump-
group/libpcap/commit/2be9c29d45fb1fab8e9549342a30c160b7dea3e1)
that landed in libpcap v1.9.0 (according to last comment of the issue).
Notes:
- 1: it's a little bit strange (to me) since both tcpdump and wireshark use
libpcap0.8, but they might not use the same libpcap set. That's why I
opened the bug on tcpdump, even if the patch might be in libpcap.
- 2: I hope that the reproducer is enough and that my original capture file
will pass after a patch.
Thanks,
Marc.
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, armhf
Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages tcpdump depends on:
ii libc6 2.28-10
ii libpcap0.8 1.8.1-6
ii libssl1.1 1.1.1d-0+deb10u2
tcpdump recommends no packages.
Versions of packages tcpdump suggests:
ii apparmor 2.13.2-10
-- no debconf information
