Hello friends, I got the following error while capturing our hosting mail server, which is malformed packet (exception occurred) PNG Protocol, I was using version 1.4.4 and I thought it was a software bug, but then I uninstalled this version and I'm now using version 1.4.7 and still see this error. Does this mean there is a critical situation we have to check deeply with it or is it normal? Thanks in advance asked 31 May '11, 23:17 Abood edited 01 Jun '11, 08:34 cmaynard ♦♦ |
One Answer:
I'd say this is normal. It just means that the dissector for PNG failed when trying to work through the data, which often happens if TCP reassembly is turned off and the payload is stretched over multiple packets. I don't think it is critical unless someone uses the PNG dissector flaw to write attack code that utilizes it to inject malicious code (if that is possible at all in this case). Afterwards he needs to send you packets containing the malicious PNG payload and you need to analyze it. Chances for something like that aren't high, but you never know :-) answered 01 Jun '11, 01:52 Jasper ♦♦ edited 01 Jun '11, 08:34 cmaynard ♦♦ |
Thanks. the TCP reassembly is turned on. what shall we do in order to see it is not an attack?
Determining if binary content contains attack code is a science in itself, called reversing/reverse engineering. It is not something you can learn without weeks, months and sometimes years of practicing.
But you might be able to look for the consequences of an attack - capture the device that had the exception (preferable with a 3rd, passive Wireshark) and see if the device is trying to communicate with other nodes outside your net that it shouldn't. This can be difficult, too, unless you have full knowledge of what that device should or shouldn't do.