Package: tcpdump Version: 4.9.3-1~deb10u1 Severity: normal Dear Maintainer,
I tried to display a pcapng capture with `tcpdump -r` but failed with: > tcpdump: invalid interface capture length 524288, bigger than maximum of > 262144 The file is correctly read by wireshark on the same machine. Versions: - tcpdump (4.9.3-1~deb10u1): > tcpdump version 4.9.3 > libpcap version 1.8.1 > OpenSSL 1.1.1d 10 Sep 2019 -wireshark (2.6.8-1.1): > Compiled (64-bit) with Qt 5.11.3, with libpcap, with POSIX capabilities (Linux), > with libnl 3, with GLib 2.58.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares > 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.7, with Gcrypt 1.8.4, with MIT Kerberos, > with MaxMind DB resolver, with nghttp2 1.37.0, with LZ4, with Snappy, with > libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729. I reproduced the issue by patching a simple pcapng (https://wiki.wireshark.org/Development/PcapNg?action=AttachFile&do=get&target=dhcp.pcapng): diff <(xxd dhcp.pcapng) <(xxd long-snaplen.pcapng) --- /proc/self/fd/11 2020-03-20 23:08:57.206212690 +0100 +++ /proc/self/fd/12 2020-03-20 23:08:57.206212690 +0100 @@ -1,6 +1,6 @@ 00000000: 0a0d 0d0a 1c00 0000 4d3c 2b1a 0100 0000 ........M<+..... 00000010: ffff ffff ffff ffff 1c00 0000 0100 0000 ................ -00000020: 2000 0000 0100 0000 ffff 0000 0900 0100 ............... +00000020: 2000 0000 0100 0000 0000 0800 0900 0100 ............... 00000030: 0600 0000 0000 0000 2000 0000 0600 0000 ........ ....... 00000040: 5c01 0000 0000 0000 83ea 0300 0d8a 3335 \.............35 00000050: 3a01 0000 3a01 0000 ffff ffff ffff 000b :...:........... tcpdump -r <(cat long-snaplen.pcapng) tcpdump: invalid interface capture length 524288, bigger than maximum of 262144 tcpdump -r <(cat dhcp.pcapng) reading from file /proc/self/fd/11, link-type EN10MB (Ethernet) 20:16:24.317453 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:0b:82:01:fc:42 (oui Unknown), length 272 […] Googling returned this issue (https://github.com/the-tcpdump- group/libpcap/issues/527) and this patch (https://github.com/the-tcpdump- group/libpcap/commit/2be9c29d45fb1fab8e9549342a30c160b7dea3e1) that landed in libpcap v1.9.0 (according to last comment of the issue). Notes: - 1: it's a little bit strange (to me) since both tcpdump and wireshark use libpcap0.8, but they might not use the same libpcap set. That's why I opened the bug on tcpdump, even if the patch might be in libpcap. - 2: I hope that the reproducer is enough and that my original capture file will pass after a patch. Thanks, Marc. -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, armhf Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tcpdump depends on: ii libc6 2.28-10 ii libpcap0.8 1.8.1-6 ii libssl1.1 1.1.1d-0+deb10u2 tcpdump recommends no packages. Versions of packages tcpdump suggests: ii apparmor 2.13.2-10 -- no debconf information
