In What Way Is This a Malformed Packet?

Question

Hello,

I am learning to use Wireshark for the first time to debug an application I wrote that exposes an HTTP API. I have noticed that Wireshark shows [Malformed Packet] in the Info field for every 200 (OK) response I receive from my application:

6   0.002723261 ::1 ::1 HTTP    358 HTTP/1.1 200 OK [Malformed Packet]

I don't know in what way these responses are malformed, and my client programs don't seem to have any problem with these responses.

Here is a typical response:

`[email protected]|@  J$^8
##HTTP/1.1 200 OK
Date: Sun, 02 Apr 2017 07:38:52 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.3.6.v20151106)
78
{"description":null,"resultCode":"WARNING","resultMessage":"Didn\u0027t find and so can\u0027t describe reservation: 1"}

Can anyone tell me what is wrong with it? I am suspicious of characters preceding “HTTP” but I don’t know enough to know whether they are what is causing Wireshark to declare the packets malformed..

Thank you for your help.

-Dan

Answer 1

You're right, the suspicious characters preceding "HTTP" should not be there. Web browsers are usually ignoring a lot of bad things, as their primary goal is to render a page, so that's why they don't complain. But from a protocol point of view the packet is malformed. The "HTTP" characters must be the first thing following the TCP header, but in your case there's some garbage between the TCP header and HTTP. So you should find out where the garbage bytes come from, and prevent them from being written to the packet.