This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why is wireshark reporting that my WebSocket Connection Close is a Malformed Packet?

0

Is it because my payload length is zero? RFC 6455 seems to state that the payload for this is optional.

Thanks

No.     Time           Source                Destination           Protocol sPort  dPort  Length Info
    161 0.000097000    192.168.60.80         192.168.60.2          WebSocket 80     4477   60     WebSocket Connection Close [FIN] [Malformed Packet]
Frame 161: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
    Interface id: 0 (eth0)
    Encapsulation type: Ethernet (1)
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http:websocket]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: Informat_34:56:78 (00:00:12:34:56:78), Dst: CadmusCo_ec:2d:88 (08:00:27:ec:2d:88)
    Destination: CadmusCo_ec:2d:88 (08:00:27:ec:2d:88)
        Address: CadmusCo_ec:2d:88 (08:00:27:ec:2d:88)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Informat_34:56:78 (00:00:12:34:56:78)
        Address: Informat_34:56:78 (00:00:12:34:56:78)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
    Padding: 00000000
Internet Protocol Version 4, Src: 192.168.60.80 (192.168.60.80), Dst: 192.168.60.2 (192.168.60.2)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 42
    Identification: 0x06b6 (1718)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x7a75 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.60.80 (192.168.60.80)
    Destination: 192.168.60.2 (192.168.60.2)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 4477 (4477), Seq: 755, Ack: 591, Len: 2
    Source Port: 80 (80)
    Destination Port: 4477 (4477)
    [Stream index: 12]
    [TCP Segment Len: 2]
    Sequence number: 755    (relative sequence number)
    [Next sequence number: 757    (relative sequence number)]
    Acknowledgment number: 591    (relative ack number)
    Header Length: 20 bytes
    .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 1460
    [Calculated window size: 1460]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x0490 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.000583000 seconds]
        [Bytes in flight: 2]
WebSocket
    1... .... = Fin: True
    .000 .... = Reserved: 0x00
    .... 1000 = Opcode: Connection Close (8)
    0... .... = Mask: False
    .000 0000 = Payload length: 0
    Payload
        Close: <missing>
[Malformed Packet: WebSocket]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
0000  08 00 27 ec 2d 88 00 00 12 34 56 78 08 00 45 00   ..'.-....4Vx..E.
0010  00 2a 06 b6 00 00 40 06 7a 75 c0 a8 3c 50 c0 a8   .*[email protected]<p.. 0020="" 3c="" 02="" 00="" 50="" 11="" 7d="" 21="" 71="" 9a="" 4c="" 3f="" 65="" 16="" f3="" 50="" 18="" <..p.}!q.l?e..p.="" 0030="" 05="" b4="" 04="" 90="" 00="" 00="" 88="" 00="" 00="" 00="" 00="" 00="" ............="" <="" code="">

asked 11 Jun '15, 12:51

brownslink's gravatar image

brownslink
6225
accept rate: 0%


One Answer:

0

This looks like an issue that was solved in Wiresahrk 1.99.x branch and not in Wireshark 1.12.x: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d555aa759b9fb3199eb5822c20c86ed80c4608d3

Could you give a try to Wireshark 1.99.6 development build found on http://www.wireshark.org ?

answered 11 Jun '15, 14:14

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%