This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[Malformed Packet: GSM over IP]

0
1

Hi, I'm new to WireShark but I have a Windows host with WireShark running and on this host a customised application sending data to another host on port 5000. I can filter the data and use Follow TCP Stream fine and see the applications network data.

However the frames are displayed as

[Malformed Packet: GSM over IP]

I assume that WireShark is inspecting the frame data and that WireShark thinks that the data inside is a GSM over IP formatted data while it isn't.

Anyway to 'disable' this misleading matching to GSM over IP?

Any help would be greatly appreciated!

Bernd

asked 31 Jan '11, 04:07

BerndN's gravatar image

BerndN
1122
accept rate: 0%

I see this protocols:

GSM SMS GSM SMS UD GSM Um GSM_MAP

Windows Version 1.4.3 from WireShark So thanks for the tip. Somehow I have thought the same before but because I could not find it easily I was confused and thought better to post this here ;)

(31 Jan '11, 04:39) BerndN

Just one more question regarding those frames/packets. I have done some binary editing of old files in Windows. I had files which had a length value after the initial header so that the opening program did know how long the file had to be. But most files had different structures/data structures. I assume that with network packets a lot is also depending on the application creating it. The packets which have been identified by the dissector GSM over IP seems to assume that it finds a checksum at offset 0xnn and that this checksum value should be nnnn instead of 00 00. My understanding is that the header seems similiar to a GSM over IP packet but it is no GSM over IP structure. So to permanently fix it I should write my own, custom dissector?

Thanks for reading and trying to help!

Bernd

(31 Jan '11, 13:02) BerndN

2 Answers:

2

Goto the menu Analyze|Protocols. This open a dialog with all protocol dissectors. Look for 'GSM over IP' and remove the check mark. Click apply to see what happens.

answered 31 Jan '11, 04:32

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks Jaap. Doing this change it and all looks fine after it. Are those messages/frames/packets now hidden or have they just changed to 'unnamed' data frames/packets?

(31 Jan '11, 04:48) BerndN

No, the Wireshark 'GSM over IP' dissectors just isn't called any more. it now depends on the other dissectors what does happen.

(31 Jan '11, 12:44) Jaap ♦

Worked for me

(13 Nov '14, 07:56) 4m1r

0

Edit->preferences->protocols->GSM over IP change the TC/UDP ports to 0 or dissable the protocol.

answered 31 Jan '11, 04:31

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%