This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In What Way Is This a Malformed Packet?

0

Hello,

I am learning to use Wireshark for the first time to debug an application I wrote that exposes an HTTP API. I have noticed that Wireshark shows [Malformed Packet] in the Info field for every 200 (OK) response I receive from my application:

6   0.002723261 ::1 ::1 HTTP    358 HTTP/1.1 200 OK [Malformed Packet]

I don't know in what way these responses are malformed, and my client programs don't seem to have any problem with these responses.

Here is a typical response:

`[email protected]|@  J$^8
##HTTP/1.1 200 OK
Date: Sun, 02 Apr 2017 07:38:52 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.3.6.v20151106)

78 {"description":null,"resultCode":"WARNING","resultMessage":"Didn\u0027t find and so can\u0027t describe reservation: 1"}

Can anyone tell me what is wrong with it? I am suspicious of characters preceding “HTTP” but I don’t know enough to know whether they are what is causing Wireshark to declare the packets malformed..

Thank you for your help.

-Dan

asked 02 Apr ‘17, 01:37

subuta's gravatar image

subuta
6113
accept rate: 0%


One Answer:

1

You're right, the suspicious characters preceding "HTTP" should not be there. Web browsers are usually ignoring a lot of bad things, as their primary goal is to render a page, so that's why they don't complain. But from a protocol point of view the packet is malformed. The "HTTP" characters must be the first thing following the TCP header, but in your case there's some garbage between the TCP header and HTTP. So you should find out where the garbage bytes come from, and prevent them from being written to the packet.

answered 02 Apr '17, 08:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you for the quick and helpful reply, Jasper. I will investigate these garbage characters.

(02 Apr '17, 10:43) subuta