Mailing List Archive: Ethereal: users

malformed packets

Index | Next | Previous | View Threaded

buercky at comcast

Aug 21, 2006, 9:31 PM

Post #1 of 4 (1154 views)
Permalink

malformed packets

guy at alum

Aug 21, 2006, 10:47 PM

Post #2 of 4 (1055 views)
Permalink

Re: malformed packets [In reply to]

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users [at] wireshark
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

brent wrote:

> Im trying to locate a trouble in our network and have done a capture on
> a device using mirror ports of a device. We are getting MALFORMED
> PACKETS on every packet sent from a device on our network. IS this
> caused by the mirror port ? or is this a actual failure of the device ?
> or wireshark?

It could, in theory, be any of the above.

I'd suggest upgrading to the latest version of Wireshark:

http://www.wireshark.org/download.html

in case it's due to a bug that's been fixed in later versions of
Wireshark, and, if you still see the problem, export as plain text (with
packet details and packet bytes) one of the packets that show up as a
malformed frame, and also save the packet in question to a file (i.e.,
save it as a one-packet capture file), so we can look at the packet and
see where the problem might be, and send a message to the
wireshark-users list:

http://www.wireshark.org/lists/

with the text of the packet and the one-packet capture file.
_______________________________________________
Ethereal-users mailing list
Ethereal-users [at] ethereal
http://www.ethereal.com/mailman/listinfo/ethereal-users

buercky at comcast

Aug 22, 2006, 8:31 AM

Post #3 of 4 (1046 views)
Permalink

RE: malformed packets [In reply to]

Attachments:

malformed.cap (100 B)

guy at alum

Aug 22, 2006, 10:33 AM

Post #4 of 4 (1053 views)
Permalink

Re: malformed packets [In reply to]

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users [at] wireshark
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

brent wrote:

> No. Time Source Destination Protocol
> Info SRC DEST
> 1 0.000000 10.1.1.247 10.1.198.111 UDP
> Source port: 5100 Destination port: 5000[Malformed Packet] 5100 5000
>
> Frame 1 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Intel_a7:4e:3f (00:0e:0c:a7:4e:3f), Dst: Cisco_5e:97:00
> (00:0a:f4:5e:97:00)
> Internet Protocol, Src: 10.1.1.247 (10.1.1.247), Dst: 10.1.198.111
> (10.1.198.111)
> User Datagram Protocol, Src Port: 5100 (5100), Dst Port: 5000 (5000)
> Cross Point Frame Injector
> [Malformed Packet: CPFI]

Unless you have, on your network, a piece of equipment from Compunter
Network Technology (CNT) or McData (CNT was bought by McData in 2005)
that transports Fibre Channel data over UDP, the problem is almost
certainly that the dissector for CNT's Cross Point Frame Injector
protocol is being called for packets that *aren't* CPFI packets.

That's an inherent problem with dissecting protocols running over TCP or
UDP - there's no guarantee that a given port is being used by a given
protocol. You could try disabling the CPFI dissector by going to
Analyze -> Enabled Protocols and un-checking the entry for Cross Point
Frame Injector.
_______________________________________________
Ethereal-users mailing list
Ethereal-users [at] ethereal
http://www.ethereal.com/mailman/listinfo/ethereal-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads