#140 Large wirelen frames not recognized

[Bert-Jan Kamp]

When capture has large frames as a result of a capture on a host with a TOE supported network interface the large frame is not recognized.

Example code:

public void packetloop(Pcap pcap){
Tcp tcp = new Tcp();
Ip4 ip = new Ip4();
Ethernet eth = new Ethernet();
PcapHeader hdr = new PcapHeader(JMemory.POINTER);
JBuffer buf = new JBuffer(JMemory.POINTER);
int id = JRegistry.mapDLTToId(pcap.datalink());
long packetnumber = 0;

// MainLoop
NEXTPACKET: while (pcap.nextEx(hdr,buf) == Pcap.NEXT_EX_OK){
    PcapPacket packet = new PcapPacket(hdr, buf);
    packet.scan(id);
    packetnumber+=1;
    int mypacketlength = packet.getCaptureHeader().wirelen();
    if(tcpanalysis.debug) System.out.printf( "-> %10d packet: Sizes packet %d\n", packetnumber, mypacketlength);

    //Check if TCP/IP/Eth packet
    if(packet.hasHeader(eth) && packet.hasHeader(ip) && packet.hasHeader(tcp)){
        System.out.println("TCP packet");
    }
}

}

Output:
-> 23399 packet: Sizes packet 104
TCP packet
-> 23400 packet: Sizes packet 3172
-> 23401 packet: Sizes packet 60
TCP packet

The large packet is not regcognized as eth, IP or TCP. I have attached a sample pcap file with a large frame.

[Bert-Jan Kamp]

Here is the frame summary of Wireshark, forgot to add:
23400 2016-09-07 12:58:09.482664 10.110.1.201 10.1.50.53 TLSv1 3172 Server Hello, Certificate[Packet size limited during capture]

[Bert-Jan Kamp]

Let me know if there is anything I can do to assist.