This is our old Q&A Site. Please post any new questions and answers at


I'm getting this warning on my decoded section of an item. "Expert Info (Warning/Malformed): Trying to fetch a signed integer with length 8"

As it is suggested I'm trying to add an item that is 8 bytes and i should use an unsigned int in order that the item is properly displayed. However I'm trying to use the proto_tree_add_uint64 but unsuccessfully.

This is my part of the code

proto_item *count_id = proto_tree_add_item(count_tree_, hf_map_pdu_eth_count, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree *val = proto_item_add_subtree(count_id, ett_map);
offset += 1;
**proto_tree_add_item(val, hf_map_pdu_c_value, tvb, offset, 8, ENC_BIG_ENDIAN);**
offset += 8;

What is the approach when we want to display in DEC 8 bytes?

many thanks

asked 26 Jul '17, 01:37

gerolima's gravatar image

accept rate: 50%

Please double check hf_map_pdu_c_value definition and ensure that it is defined as FT_UINT64 and not (let's say) FT_INT32.

permanent link

answered 26 Jul '17, 02:23

Pascal%20Quantin's gravatar image

Pascal Quantin
accept rate: 30%


Yes it's 64.

&hf_map_pdu_c_value, { "Counter value", "map.c_value", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }

(26 Jul '17, 04:09) gerolima

With such code, the error you are reporting cannot happen with the current development version. Are you building a plugin or an internal dissector? Which Wireshark version are you building with?

(26 Jul '17, 04:27) Pascal Quantin

No, I'm building a plugin. Sorry it's been a while since I started this project. I think it's 2.1.1 is there any way to verify the version to be sure?

(26 Jul '17, 05:44) gerolima

Except in some rare cases or if you just like living dangerously, you should really work with a stable release version, currently the latest stable release being 2.4.0.

You can check for the version, for example:

$ head -n 10
# Autoconf script for Wireshark

# Define variables for the components of the Wireshark version number.
m4_define([version_major], [2])
m4_define([version_minor], [4])
m4_define([version_micro], [0])
(26 Jul '17, 08:55) cmaynard ♦♦


That's an unsigned 64-bit integer; if you want a signed 64-bit integer, you want FT_INT64.

(26 Jul '17, 10:53) Guy Harris ♦♦

So presumably you are building a plugin with a given version of Wireshark, and trying to run it with another version where the numerical value for FT_UINT64 corresponds to FT_INT8, FT_INT16 or FT_INT32. This is a very classic issue when building plugins. Wireshark API is not stable between major releases, so you need to recompile your plugin against the release you intend to use.

(26 Jul '17, 11:15) Pascal Quantin

Just to clarify, I just checked the version:

Define variables for the components of the Wireshark version number.

m4_define([version_major], [2]) m4_define([version_minor], [3]) m4_define([version_micro], [0])

So, each time there is a new major release I need to git pull the changes and re-compile the project? To be honest, I'm a bit afraid to mess with my dev environment, it took me a lot of effort to reach a stable state :)

(26 Jul '17, 22:51) gerolima

Using a plugin, you have no other choice. Note that 2.3.0 was a development snapshot, so API could change at anytime. Stable release always have an even minor version.

(26 Jul '17, 22:59) Pascal Quantin
showing 5 of 8 show 3 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 26 Jul '17, 01:37

question was seen: 1,432 times

last updated: 26 Jul '17, 22:59

p​o​w​e​r​e​d by O​S​Q​A