This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why am I seeing malformed packets on my captures?

0

alt text

I get the below error for dns requests and response.

I also see UDP Bad lenght greater that IP Payload.

Any suggestion or advice ffrom anyone as to cause of this error?

asked 13 Nov '15, 02:26

olutola's gravatar image

olutola
6112
accept rate: 0%

edited 13 Nov '15, 02:57

Jaap's gravatar image

Jaap ♦
11.7k16101

Can you share the capture file? From an image it's impossible to tell. You could use cloudshark for that.

(13 Nov '15, 02:59) Jaap ♦

One Answer:

0

While it's true what @Jaap says regarding the screenshot, I'll to make an assumption. The size of the frames and the uniform length pattern (44, 80, 84) does not match a typical DNS query/answer. So I guess that's traffic where Wireshark only believes it could be DNS, based on the protocol and port (TCP/UDP 53), but in reality it's something totally different, hence the "Malformed Packet".

As the IP 41.190.6.70 is on the internet (Nigeria), this looks a bit "strange". Could be DNS tunneling software, malware or simply a bug somewhere.

We will see, as soon as you provide the capture file.

Regards
Kurt

answered 13 Nov '15, 14:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%