This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is my packet really malformed?

0

Hi, Wireshark marked one of my packets as malformed and I am struggling to find the reason. The packet in hex format is:

000000 B4 B5 2F BF BD 5D 00 D0 ........
000008 95 F8 E8 90 08 00 45 00 ........
000010 00 29 00 06 00 00 3B 06 ........
000018 B9 7A 0A 87 19 75 87 FA ........
000020 1A 59 14 51 C8 88 00 00 ........
000028 19 72 55 91 72 E4 50 18 ........
000030 5A 3F CE 7B 00 00 02 04 ........
000038 05 AA 41 00             ....

This is a TCP packet with one byte data. The data byte is the second last byte in the penultimate line ('02').

The problem is, if I change the data to anything else (say, make the data byte '01'), the Wireshark considers the packet legitimate. I.e, Wireshark considers the following packet good.

000000 B4 B5 2F BF BD 5D 00 D0 ........
000008 95 F8 E8 90 08 00 45 00 ........
000010 00 29 00 06 00 00 3B 06 ........
000018 B9 7A 0A 87 19 75 87 FA ........
000020 1A 59 14 51 C8 88 00 00 ........
000028 19 72 55 91 72 E4 50 18 ........
000030 5A 3F CE 7B 00 00 01 04 ........
000038 05 AA 41 00             ....

Will appreciate any help. Thank you.

asked 09 Jun '15, 11:36

dineshpandey's gravatar image

dineshpandey
6112
accept rate: 0%

Just wanted to add.

uname -a: Linux venus.localdomain 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Wireshark version: 1.8.10

(09 Jun '15, 11:41) dineshpandey

One Answer:

1

Your first frame gets erroneously dissected by the FTMP dissector (Flight Message Transfer Protocol).

alt text

If you disable that dissector, the frame is not marked as malformed anymore.

Analyze -> Enabled Protocols -> FMTP (uncheck it).

Regards
Kurt

answered 10 Jun '15, 04:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%