diff --git a/src/sniffer.c b/src/sniffer.c
index 7f6dc552b..13e230e63 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -2915,7 +2915,8 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
 /* Process Message(s) from sslFrame */
 /* return Number of bytes on success, 0 for no data yet, and -1 on error */
 static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
-                          int sslBytes, byte* data, const byte* end,char* error)
+                          int sslBytes, byte** data, const byte* end,
+                          char* error)
 {
     const byte*       sslBegin = sslFrame;
     const byte*       recordEnd;   /* end of record indicator */
@@ -3041,8 +3042,14 @@ doPart:
                     ret = ssl->buffers.clearOutputBuffer.length;
                     TraceGotData(ret);
                     if (ret) {  /* may be blank message */
-                        XMEMCPY(&data[decoded],
-                               ssl->buffers.clearOutputBuffer.buffer, ret);
+                        *data = realloc(*data, decoded + ret);
+                        if (*data == NULL) {
+                            SetError(MEMORY_STR, error, session,
+                                     FATAL_ERROR_STATE);
+                            return -1;
+                        }
+                        XMEMCPY(*data + decoded,
+                                ssl->buffers.clearOutputBuffer.buffer, ret);
                         TraceAddedData(ret, decoded);
                         decoded += ret;
                         ssl->buffers.clearOutputBuffer.length = 0;
@@ -3144,7 +3151,7 @@ static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
 
 /* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
 /* returns Number of bytes on success, 0 for no data yet, and -1 on error */
-int ssl_DecodePacket(const byte* packet, int length, byte* data, char* error)
+int ssl_DecodePacket(const byte* packet, int length, byte** data, char* error)
 {
     TcpInfo           tcpInfo;
     IpInfo            ipInfo;
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index 0a21e3958..b618eec0c 100755
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -296,7 +296,7 @@ int main(int argc, char** argv)
         packetNumber++;
         if (packet) {
 
-            byte data[65535+16384];  /* may have a partial 16k record cached */
+            byte* data = NULL;
 
             if (header.caplen > 40)  { /* min ip(20) + min tcp(20) */
 				packet        += frame;
@@ -305,7 +305,7 @@ int main(int argc, char** argv)
             else
                 continue;
 
-            ret = ssl_DecodePacket(packet, header.caplen, data, err);
+            ret = ssl_DecodePacket(packet, header.caplen, &data, err);
             if (ret < 0) {
                 printf("ssl_Decode ret = %d, %s\n", ret, err);
                 hadBadPacket = 1;
@@ -313,6 +313,8 @@ int main(int argc, char** argv)
             if (ret > 0) {
                 data[ret] = 0;
 				printf("SSL App Data(%d:%d):%s\n", packetNumber, ret, data);
+                free(data);
+                data = NULL;
             }
         }
         else if (saveFile)
diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h
index 495045d71..5e626d93f 100644
--- a/wolfssl/sniffer.h
+++ b/wolfssl/sniffer.h
@@ -56,7 +56,7 @@ SSL_SNIFFER_API int ssl_SetNamedPrivateKey(const char* name,
 
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_DecodePacket(const unsigned char* packet, int length,
-                                     unsigned char* data, char* error);
+                                     unsigned char** data, char* error);
 
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_Trace(const char* traceFile, char* error);