This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

No root privileges: Packet size limited during capture

0

Hi all,

I'm using Wireshark 1.0.15 to capture and dissect a custom protocol. I tried to capture these packets with both tcpdump ... -s 0 and through the GUI (unchecking the limit packet size box). When I run:

sudo wireshark -r ~/Desktop/capture.pcap

I dissect the packet to great success. The packet is approximately 50K bytes when reassembled using tcp_dissect_pdus. However, when I run it without root privileges, I get:

[Packet size limited during capture: XXX truncated]

I can see the header has been successfully dissected, since it gives me the same info as when I run it as root. However, the rest of the packets show the error mentioned above.

What am I doing wrong? Am I capturing it wrong or is there a bug in my code? Or is it because of how Wireshark is set up on my system?

asked 26 Jun '14, 10:31

barney's gravatar image

barney
6225
accept rate: 100%

What is your

  • OS and OS version

Can you post a sample capture file at googgle drive, dropbox or cloudshark.org?

(28 Jun '14, 15:15) Kurt Knochner ♦

Here's a sample capture that exhibits this problem:

https://www.dropbox.com/s/r9ehpjs5d8lwpgr/askwireshark

I'm running Red Hat Enterprise Linux 5.

(30 Jun '14, 13:05) barney

I don't seem to have the same problem in Wireshark 1.6.7/Ubuntu. I'm having trouble building the same version (1.0.15) on 12.04 though so it's hard to say if it's the OS or the Wireshark version.

(01 Jul '14, 11:22) barney

What's printed if you type

which wireshark

and if you type

sudo which wireshark
(25 Aug '14, 11:47) Guy Harris ♦♦

Sorry, I can't answer that since I don't have access to the machine anymore. If it helps, I installed it on RHEL 5.4 with the wireshark-gnome package.

I forgot to follow up here, but the problem went away I disabled TCP Checksum Validation. After some really basic research, it seemed that the TCP offloading was a plausible cause.

(25 Aug '14, 13:38) barney

One Answer:

1

Or is it because of how Wireshark is set up on my system?

It might be. If, when running Wireshark as root, it uses root's preferences, which have TCP checksum validation turned off, but, when running it as yourself, it uses your preferences, which have TCP checksum validation turned on, then some packets will get errors because they have invalid checksums (which, as the message Wireshark displays in that case says, may be due to TCP checksum offloading - that will cause packets sent by the machine running a packet sniffer to, when captured by that sniffer, have an invalid TCP checksum, because the checksum is set on the NIC, and the packets seen by a sniffer are the packets as handed to the NIC), and that may disable TCP reassembly.

"Packet size limited during capture: XXX truncated" should only be reported if a snapshot length was specified, but there might be a Wireshark bug causing it to be reported for non-reassembled packets.

answered 01 Jul '14, 13:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%