Re: [Wireshark-dev] Packet Size limited during capture message

[Brian Oleksa]

Martin

Thanks for the input. Our software flows over tactical wireless networks 
where the links are broken all the time.

But my question is...if I followed all the wireshark coding standards 
(i.e.  tvb_get_guint8(tvb, offset);    proto_tree_add_item(sub_tree, xxx 
,tvb , offset, 1, FALSE);   etc etc etc ....)

Then shouldn't my dissector automatically handle the "packet size 
limited during capture" problem that I am having..??

If not... than how would one prepare the code to handle these corrupted 
or truncated packets..??

Any help is greatly appreciated.

Thanks,
Brian



Martin Visser wrote:
> Any dissector needs to be validate it's input and make sure it doesn't 
> make errant conclusions on what is presented.
>
> For example many protocols have fields that indicate lengths of data 
> within the frame. However any dissector needs to make sure that it 
> doesn't just believe those fields as being correct. A bad h...@x0r might 
> change those fields beyond what the protocol intended either to crash 
> the real application or even wireshark. 
>
> Also packets might get unintentionally corrupted or truncated with 
> similar consequences. (Broken links, routers, VPNs can all do this). 
> Wireshark dissectors need to be resilient to this.
>
> Finally Wireshark (and tcpdump) have always had the ability to only 
> capture a truncated packet (mainly to limit resources required during 
> packet capture). A dissector also needs to cope with this. 
>
> Regards, Martin
>
> martinvisse...@gmail.com <mailto:martinvisse...@gmail.com>
>
>
> On Wed, Mar 24, 2010 at 2:42 AM, Brian Oleksa 
> <olek...@darkcornersoftware.com 
> <mailto:olek...@darkcornersoftware.com>> wrote:
>
>     Chris
>
>     I will have to look into why my dissector is crashing when I get
>     the Packet Size Limited during capture message.
>
>     I am an employee of Dark Corner Software. I am writing the
>     dissector for our clients that use our software.
>
>     I have fixed the license issue. Attached is the latest updated
>     file that I am still working on.
>
>     We have open source software and closed source software. I am
>     trying to get the open source dissector submitted through
>     wireshark so it can become a part of the wireshark distribution
>     (this is the attached copy).
>
>     Our closed source software is for our customers only. I have
>     written a dissector for our closed source software for the client.
>     This is where I am getting the "Packet Size limited during capture
>     " message from.
>
>
>     Thanks,
>     Brian
>
>
>
>     Maynard, Chris wrote:
>
>         As Jakub pointed out, regardless of the snaplen, if Wireshark
>         is crashing, then the bug is in the dissector, although IMO
>         the biggest bug in the dissector is still the incompatible
>         license.
>
>         Brian, please carefully read
>         http://www.gnu.org/licenses/gpl-faq.html#GPLModuleLicense
>
>         Gerald et al, consider this e-mail as a report of a violation
>         of the GPL per
>         http://www.gnu.org/licenses/gpl-faq.html#ReportingViolation
>
>         So until the dissector is properly licensed, I suggest
>         contacting these folks for support on this dissector:
>         http://www.darkcornersoftware.com/contact.html
>
>         - Chris
>
>         -----Original Message-----
>         From: wireshark-dev-boun...@wireshark.org
>         <mailto:wireshark-dev-boun...@wireshark.org>
>         [mailto:wireshark-dev-boun...@wireshark.org
>         <mailto:wireshark-dev-boun...@wireshark.org>] On Behalf Of
>         Mike Morrin
>         Sent: Tuesday, March 23, 2010 9:02 AM
>         To: Developer support list for Wireshark
>         Subject: Re: [Wireshark-dev] Packet Size limited during
>         capture message
>
>
>         -----Original Message-----
>         From: wireshark-dev-boun...@wireshark.org
>         <mailto:wireshark-dev-boun...@wireshark.org>
>         [mailto:wireshark-dev-boun...@wireshark.org
>         <mailto:wireshark-dev-boun...@wireshark.org>] On Behalf Of
>         Brian Oleksa
>         Sent: 23 March 2010 12:23
>         To: Developer support list for Wireshark
>         Subject: Re: [Wireshark-dev] Packet Size limited during
>         capture message
>
>         Chris
>
>         I just found out that this was captured using tshark.....but
>         nobody knows what the snaplen was.
>
>         So my questions is....   My code is working correctly
>         then....And that this was just a bad judgment of the wrong
>         snaplen......correct..??
>
>         Thanks,
>         Brian
>
>         --------------------------------------------------------------------
>         It is possible for a dissector bug to throw this exception
>         even with a
>         perfectly captured packet, see Bug 2855 for example.
>
>
>
>
>
>
>
>         This message contains confidential information and may be
>         privileged. If you are not the intended recipient, please
>         notify the sender and delete the message immediately.
>
>         ip.access Ltd, registration number 3400157, Building 2020,
>         Cambourne Business Park, Cambourne, Cambridge CB23 6DW, United
>         Kingdom
>         
> ___________________________________________________________________________
>         Sent via:    Wireshark-dev mailing list
>         <wireshark-dev@wireshark.org <mailto:wireshark-dev@wireshark.org>>
>         Archives:    http://www.wireshark.org/lists/wireshark-dev
>         Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>                     mailto:wireshark-dev-requ...@wireshark.org
>         <mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe
>         CONFIDENTIALITY NOTICE: The contents of this email are
>         confidential
>         and for the exclusive use of the intended recipient. If you
>         receive this
>         email in error, please delete it from your system immediately
>         and notify us either by email, telephone or fax. You should
>         not copy,
>         forward, or otherwise disclose the content of the email.
>
>         
> ___________________________________________________________________________
>         Sent via:    Wireshark-dev mailing list
>         <wireshark-dev@wireshark.org <mailto:wireshark-dev@wireshark.org>>
>         Archives:    http://www.wireshark.org/lists/wireshark-dev
>         Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>                     mailto:wireshark-dev-requ...@wireshark.org
>         <mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe
>          
>
>
>     
> ___________________________________________________________________________
>     Sent via:    Wireshark-dev mailing list
>     <wireshark-dev@wireshark.org <mailto:wireshark-dev@wireshark.org>>
>     Archives:    http://www.wireshark.org/lists/wireshark-dev
>     Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>                 mailto:wireshark-dev-requ...@wireshark.org
>     <mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe
>
>
> ------------------------------------------------------------------------
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe