This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNP Serial Malformed Packet.

0

Wireshark gives me a "malformed packet" message every time my DNP 3 responses are larger that a single frame. I am analyzing DNP over serial. I am trying to determine the setting that will allow decoding of greater that 255 byte packets, but am not having any luck. Any ideas?

asked 28 Jun '17, 15:59

Kurt's gravatar image

Kurt
6112
accept rate: 0%

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc?

(28 Jun '17, 21:25) grahamb ♦

That's not really necessary. I simply need to know how to set Wireshark to decide more than one frame of serial data. I figured it out with ASE2000, I just need help with Wireshark.

(06 Jul '17, 21:10) Kurt

As the DNP3 dissector successfully reassembles DNP3 traffic over both TCP and UDP, I suspect that the fact that your capture is "serial" may be the issue, hence the need to see the capture.

How exactly did you make the capture file?

(07 Jul '17, 02:58) grahamb ♦

One Answer:

0

Go Edit -> Preferences -> Protocols -> DNP 3.0 or right-click the DNP layer in the packet dissection pane. There is a single preference - Reassemble DNP3 messages spanning multiple TCP segments which is, however, on by default. If it is on and the problem persists, something is wrong with the trace contents or with the dissector, that's why @grahamb asked you to share the trace.

answered 07 Jul '17, 00:11

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I haven't used this service before. I posted a capture on Cloudshark as requested

(11 Jul '17, 12:50) Kurt

Can you provide a link to it?

(11 Jul '17, 12:51) sindy