[Winpcap-users] RE: Bogus IP Header
Guy Harris
guy at alum.mit.edu
Sun Jun 19 08:38:13 GMT 2005
Sanjay Badala wrote:
> If you are capturing the packets using ethereal, then there is an option
> (ethereal > capture > Limit each packet to XXX bytes ) to limit the
> bytes to be captured from the packet. Disable this option and you will
> receive complete packets.
You will receive complete packets *IF* complete packets are being
delivered to the WinPcap driver via NDIS.
There is no guarantee that, for example, firewall and VPN software won't
cause bogus packets to be delivered to the WinPcap driver via NDIS,
*even if the firewall or VPN software isn't currently enabled*.
Furthermore, he's not just seeing short frames, he's also seeing frames
with bogus data in them, as per the "Bogus IP length 0" and "Bogus IP
header" messages.
In addition:
1) the option you mention is off by default - he would have had to take
action to turn it *on*;
2) Ethereal doesn't let the "XXX" in "Limit each packet to XXX bytes"
go below 68, but he's seeing the packets cut to 28 bytes.
I.e., his problem is almost certainly *NOT* the result of having
selected the "Limit each packet to XXX bytes" option. My suspicion is
that it's the result of the McAfee firewall software (even though it's
disabled), but I don't know that for sure; perhaps the WinPcap
developers know something about whether that software is known to cause
problems for WinPcap.
More information about the Winpcap-users
mailing list