[Winpcap-users] Problems with the modified wpcap.dll in Wireshark
Guy Harris
guy at alum.mit.edu
Wed Oct 17 20:21:35 GMT 2007
Gianluca Varenni wrote:
> Does Wireshark call pcap_setbuff or directly PacketSetBuff(p->adapter,dim)?
It calls pcap_setbuff().
> In the former case, a quick'n'dirty solution for the problem is adding
> some code in pcap_setbuff to have it fail if p->adapter is NULL (I think
> that there are some other Win32 specific APIs that will have the same
> problem, I'm thinking of e.g. pcap_getevent()).
The problem is that it *does* fail:
/* Set the dimension of the kernel-level capture buffer */
int
pcap_setbuff(pcap_t *p, int dim)
{
if (p->adapter==NULL)
{
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "The kernel buffer size cannot
be set while reading from a file");
return -1;
}
if(PacketSetBuff(p->adapter,dim)==FALSE)
{
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "driver error: not enough memory
to allocate the kernel buffer");
return -1;
}
return 0;
}
so Wireshark reports an error. However, the error is misleading, as
pcap_setbuff() can fail for reasons other than the buffer size being too
large.
It repors the error, but the capture continues.
More information about the Winpcap-users
mailing list