[Winpcap-users] RE: Bogus IP Header

Guy Harris guy at alum.mit.edu
Sun Jun 19 08:38:13 GMT 2005


Sanjay Badala wrote:
> If you are capturing the packets using ethereal, then there is an option 
> (ethereal > capture > Limit each packet to  XXX bytes ) to limit the 
> bytes to be captured from the packet.  Disable this option and you will 
> receive complete packets.

You will receive complete packets *IF* complete packets are being 
delivered to the WinPcap driver via NDIS.

There is no guarantee that, for example, firewall and VPN software won't 
cause bogus packets to be delivered to the WinPcap driver via NDIS, 
*even if the firewall or VPN software isn't currently enabled*.

Furthermore, he's not just seeing short frames, he's also seeing frames 
with bogus data in them, as per the "Bogus IP length 0" and "Bogus IP 
header" messages.

In addition:

	1) the option you mention is off by default - he would have had to take 
action to turn it *on*;

	2) Ethereal doesn't let the "XXX" in "Limit each packet to XXX bytes" 
go below 68, but he's seeing the packets cut to 28 bytes.

I.e., his problem is almost certainly *NOT* the result of having 
selected the "Limit each packet to XXX bytes" option.  My suspicion is 
that it's the result of the McAfee firewall software (even though it's 
disabled), but I don't know that for sure; perhaps the WinPcap 
developers know something about whether that software is known to cause 
problems for WinPcap.



More information about the Winpcap-users mailing list