This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

bogus ipv4 with ver 2.0.1

0

I just downloaded version 2.0.1. I have a pcap that works in Wireshark version 1.12.9 but gives me bogus IPv4 in version 2.0.1. I can read other pcaps in 2.0.1 which have both ipv4 and 6, but this one is giving me trouble. I have attached a couple of screenshots. Not sure if the screenshots will work or not since this is the first question I have ever asked. Appreciate any assistance.

Here is a link to a single packet pcap https://drive.google.com/open?id=0B6xDWNlkBv4CTEo3RzdKS2hiYW8.

alt text

alt text

asked 04 Feb '16, 08:26

bmwdad's gravatar image

bmwdad
0113
accept rate: 0%

edited 04 Feb '16, 10:48

Could you share a pcap file? A single packet should be sufficient.

This code part was reworked between Wireshark 1.12.9 and 2.0.1, but the decoding should still be the same. If you provide a sample capture quickly I should be able to look at it and eventually fix the bug before Wireshark 2.0.2 is released.

(04 Feb '16, 08:46) Pascal Quantin

The usual issue with trying to debug screenshots, the bit we'd like to see isn't displayed. The contents of the Null/Loopback part of the tree are interesting as that's where the subsequent protocol is determined.

A capture file would allow direct examination, could you supply one? You can slice the capture file after the IP header if privacy is an issue.

(04 Feb '16, 09:07) grahamb ♦

I do not see a method to attach a pcap to the question. I have responded in email to Pascal with a pcap.

(04 Feb '16, 09:51) bmwdad

To share a pcap, put in in a publicly shared place, e.g. Google Drive, Dropbox etc. and edit the original question with a link to the file.

(04 Feb '16, 09:57) grahamb ♦

I did not receive an email. Please consider uploading the file on one of the site suggested by Graham. Thanks.

(04 Feb '16, 10:14) Pascal Quantin

I have updated the original question with a link to a pcap

(04 Feb '16, 11:05) bmwdad
showing 5 of 6 show 1 more comments

One Answer:

0

Your capture is using an Ethertype IPv4 (0x0800) while encapsulating an IPv6 packet.

Wireshark versions up to 1.12.X allowed this but Wireshark 2.0.X strengthens the checks and consider this as an error. Your application doing the capture should use an ethertype IPv6 (0x86DD) instead.

In the meantime, you can force the dissection as IPv6 by using 'Decode As' functionality and force dissection of Ethertype 0x0800 as IPv6. But this will break dissection of standard Ethernet packets for example, so use this with caution.

answered 04 Feb '16, 11:32

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

edited 04 Feb '16, 11:32