I am seeing a "Malformed Packet (Exception occured)" message with a DIS packet while using Wireshark 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10) on Windows 7. We are generating this packet ourselves and I think it is valid. But I'm eager to learn if there is something wrong with it. And also I'm trying to find out if we can trust/use the DIS dissector or not, because it would be helpful to us if it is reliable. The K12 text packet is here: http://pastebin.com/AaB8vQnn The pcap is here: https://www.cloudshark.org/captures/4bb6d12660f4 I grabbed the wireshark source and looked around at the DIS dissector, but did not find it easy to follow. I would like to build the source and debug, but I'm not sure when/if I will be have the time to do that. So I'm just wondering if someone has any idea what is wrong here. Thanks for any ideas. asked 08 May '14, 20:49  pwinston edited 09 May '14, 13:54 |
One Answer:
There seems to be one byte missing at the end (record end marker: DIS_FIELDTYPE_END). I've corrected the pcap file with a HEX editor (added one byte and fixed all length and checksum values). Now Wireshark shows the frame without errors. I leave it up to you to check if the dissected values make any sense. HINT: I'm not sure if my modification made the frame a valid DIS frame. I did not check the code very thoroughly. I just believed Wireshark when it stopped showing an error, without knowing exactly why it stopped!! HINT#2: The PDU Length might be wrong as well in your frame, however Wireshark does not check the value. Header PDU Lenght value: 48. DATA PDU bytes: 36. Regards answered 09 May '14, 16:42  Kurt Knochner ♦ Wow thanks for figuring that out. How did you know what wireshark thought was wrong, run it in debug? However based on what I know the DIS dissector is wrong here, the code that generated this packet is 10+ years old and in use in 1000's of simulators with no reported issues. Of course that is not proof. I will located the fulls spec and take a look. But I have seen informal descriptions of this packet, and they say there is nothing tacked on to the end. Interesting though, and cloudshark is very impressive. I think I will accept this answer soon because it does show why wireshark does not like the packet. Although I think the jury is still out, at least a bit, on whether the original packet I posted is truly malformed, or if wireshark just thinks it is. (10 May '14, 20:56) pwinston How I did it? Code review and some guesswork ;-) As I don't have the protocol specs, I don't know who is right, your frame or my modified one. (11 May '14, 22:53) Kurt Knochner ♦ |
please post the pcap file!
Sure, but how? I saw someone else say "post the K12 on pastebin" so that's what I did. Let me know where I will put it up!
Google drive, dropbox, cloudshark.org
Okay I added cloudshark link to pcap in the question above, thanks for the tip that was simple.