Hi I have been doing a wireshark traces as were are having an issue with faxes being recived , the fax comes through as blank. On the trace it shows [Malformed Packet: T.38] I have never seen this before can anyone explain what this means. asked 21 Nov '16, 03:33  MattG |
One Answer:
It means that wireshark detected that there was something in the data that it coulnd not make sense off. This either means there was something wrong in the received data or the T.38 dissector is not able to read the T.38 packet correctly (either because something was not implemented yet or correctly). I looked at the source code and there are a couple of places where Wireshark might report a Malformed T.38 packet. It all depends on the pcap data you have. Are you able to share a tracefile? (see @Jasper's blogpost about sharing files for details) answered 21 Nov '16, 04:35  SYN-bit ♦♦ edited 21 Nov '16, 07:04  sindy |
Other than that, it may also mean that the sender of the T.38 (udptl) packets continued to send audio RTP a while after a switchover to T.38 has been renegotiated; Wireshark's telephony analyzer expects an immediate switchover so it assumes that the very first media packet after the renegotiation is already a T.38 one and dissects it as such. But if this is the case, you should see only first few packets marked as malformed, and the rest would be clean T.38.
Oh, and I've fixed the collision of formatting in @SYN-bit's Answer, so the link to the tutorial is now clickable as it should be.
Oops, did not check the link, thanks for the correction @sindy. And also for the useful addition (I don't see T.38 packets often ;-))
if you use
[@username text][1], the@usernameobviously wins over the[][1].