This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TDS: Malformed Packet

0

Good morning,

When analyzing a trace I found this message for more I look online I find esponse to what is past, and if the error is real or not. Can you help?

[Malformed Packet: TDS] Expert Info (Error/Malformed): Malformed Packet (Exception occurred) Message: Malformed Packet (Exception occurred) Severity level: Error Group: Malformed I have, Windows Server 2003 and SQL Server 2005. Thanks.

asked 13 Apr '11, 01:30

dagonpal's gravatar image

dagonpal
1112
accept rate: 0%

edited 13 Apr '11, 01:34


3 Answers:

1

Wireshark thinks the packet is malformed. This could be because it really is malformed. A few possible reasons might be because the snaplen causes the packet to be truncated during capturing, or the packet could have been malformed originally by the sender. The packet could have become corrupted in transit or intentionally by a fuzz-tester, for example. On the other hand, the packet could be just fine and it's incorrectly being reported as malformed due to a bug in the Wireshark TDS dissector.

answered 13 Apr '11, 09:04

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

OK, I understand, but, how do I know if I can truly be a malformed packet or a packet is correct?

(14 Apr '11, 00:02) dagonpal

Well, that requires some knowledge of both the protocol and the dissector itself. Here are some links to documents that might help you out:

If, after some examination, you think the TDS dissector is somehow flawed, you might want to open a bug report and upload your sample capture file to it.

(14 Apr '11, 07:56) cmaynard ♦♦

OK perfect, thank´s.

(18 Apr '11, 07:27) dagonpal

(I converted your "answer" to a "comment", that's the way this Q&A site works best, see also the FAQ. Please also accept an "answer" by clicking on the checkmark next to it if it did indeed answer your question so that your question will not be listed on the unanswered questions list anymore)

(18 Apr '11, 13:07) SYN-bit ♦♦
(12 Sep '11, 08:03) Bill Meier ♦♦

0

In addition to the possibilities Chris Maynard suggested, the TDS dissector tries to detect TDS traffic not to or from ports 1433 or 2433 by looking at otherwise-unidentified TCP traffic to see if it looks like TDS traffic; this could result in incorrectly identifying non-TDS traffic as TDS and reporting it as malformed TDS traffic.

answered 15 Apr '11, 09:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 15 Apr '11, 09:36

0

I had the same problem looking at a pcap from SQL Server and then I saw the hardware was Itanium. I changed it to big endian in the TDS protocol settings and everything parsed ok. Just noting it in case you have the same problem.

answered 11 Sep '11, 20:28

cfed's gravatar image

cfed
1
accept rate: 0%