This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

T38 Malformed Packet

0

Hi

I have been doing a wireshark traces as were are having an issue with faxes being recived , the fax comes through as blank. On the trace it shows [Malformed Packet: T.38]

I have never seen this before can anyone explain what this means.

asked 21 Nov '16, 03:33

MattG's gravatar image

MattG
6335
accept rate: 0%


One Answer:

0

It means that wireshark detected that there was something in the data that it coulnd not make sense off. This either means there was something wrong in the received data or the T.38 dissector is not able to read the T.38 packet correctly (either because something was not implemented yet or correctly).

I looked at the source code and there are a couple of places where Wireshark might report a Malformed T.38 packet. It all depends on the pcap data you have. Are you able to share a tracefile? (see @Jasper's blogpost about sharing files for details)

answered 21 Nov '16, 04:35

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 21 Nov '16, 07:04

sindy's gravatar image

sindy
6.0k4851

Other than that, it may also mean that the sender of the T.38 (udptl) packets continued to send audio RTP a while after a switchover to T.38 has been renegotiated; Wireshark's telephony analyzer expects an immediate switchover so it assumes that the very first media packet after the renegotiation is already a T.38 one and dissects it as such. But if this is the case, you should see only first few packets marked as malformed, and the rest would be clean T.38.

Oh, and I've fixed the collision of formatting in @SYN-bit's Answer, so the link to the tutorial is now clickable as it should be.

(21 Nov '16, 07:09) sindy

Oops, did not check the link, thanks for the correction @sindy. And also for the useful addition (I don't see T.38 packets often ;-))

(21 Nov '16, 07:15) SYN-bit ♦♦

if you use [@username text][1], the @username obviously wins over the [][1].

(21 Nov '16, 07:17) sindy