This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Bogus error

0

Hi, Analyzing a capture, Expert information shows an error I have never heard of: Expert Info (Error/Malformed): bogus, should be >= 8

Running WS Version 2.2.4 (v2.2.4-0-gcc3dc1b)on a dedicated Win 2008 R2 Enterprise server

Does anybody know what this error means? There are more than 16000 of these in a 100kB file size for a time frame: Elapsed: 00:01:29

Thx.

asked 11 Jul '17, 02:52

profke's gravatar image

profke
10779
accept rate: 0%

Not without an example of such packet (you can export a single packet from a capture file if you are concerned about privacy).

Each dissector has its own criteria to declare a packet malformed and each provides its own amount of additional information.

(11 Jul '17, 03:09) sindy

Thanks , but How can I can upload a file?

(11 Jul '17, 05:35) profke

I show one packet with this message:

No. Time Source Destination Protocol Length Window size value Time since previous frame in this TCP stream Info 17 2017-07-10 23:55:52.952907 170.86.43.201 170.86.39.97 TCP 1514 254 0.000422000 1526 → 54748 [ACK] Seq=8182 Ack=22 Win=254 Len=1460 Frame 17: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0 Ethernet II, Src: Cisco_12:67:c1 (e4:c7:22:12:67:c1), Dst: VMware_9d:00:33 (00:50:56:9d:00:33) Internet Protocol Version 4, Src: 170.86.43.201, Dst: 170.86.39.97 Transmission Control Protocol, Src Port: 1526, Dst Port: 54748, Seq: 8182, Ack: 22, Len: 1460 Tabular Data Stream Type: Bulk load data (7) Status: 0xdb Length: 0 [Expert Info (Error/Malformed): bogus, should be >= 8] [bogus, should be >= 8] [Severity level: Error] [Group: Malformed]

(11 Jul '17, 05:57) profke

In general, to post a pcap file "here" you have to upload it to Cloudshark or to any generic file sharing service, and provide a link to it here (preferably by editing the Question).

In case of a single packet, you can alternatively right-click the Frame layer in the packet dissection pane and use Copy -> ...as Hex Dump, and then paste the clipboard here. Anyone can then import the hex dump into Wireshark.

(11 Jul '17, 06:50) sindy

One Answer:

0

It says (in general): "This field / length shall be greater or equal to 8, but it's less. This is an error in this protocol". So, nothing bogus about that, unless you can show exactly what protocol it is, what field / length it refers to and why it is valid.

answered 11 Jul '17, 04:24

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Dag Jaap, wat bedoel je met "So, nothing bogus about that "?

(11 Jul '17, 06:00) profke
1

Note that it's possible that the traffic isn't Tablular Data Stream traffic at all. If that's the case and you know what protocol it's supposed to be, you could try to right-click on the TDS information line of a TDS packet within the Packet Details Pane and then choose "Decode As..." to choose which protocol should be dissecting the packets for TCP port 1526. Alternatively, you could just disable the TDS dissector, even if temporarily, via Analyze -> Enabled Protocols -> TDS if you know it's not TDS traffic.

If it is TDS traffic though, then it's malformed, so Wireshark is correctly reporting a bogus tds.length field in that case as Jaap stated.

(11 Jul '17, 07:25) cmaynard ♦♦