Wireshark-users: Re: [Wireshark-users] [Wireshark-announce] What is a good average for malformed packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 09 Jun 2008 23:26:53 -0700

Wireshark announcements wrote:

Something that it shouldn't have written. Questions about Wireshark should be sent to wireshark-users@xxxxxxxxxxxxx or, if you're writing a dissector or making some other change to Wireshark's source code, wireshark-dev@xxxxxxxxxxxxx, not to wireshark-announce@xxxxxxxxxxxxx, which is intended only for announcements from the Wireshark team. (Gerald, should wireshark-announce reject mail sent to it from anybody other than "approved" people such as you?)

I’m in the process of analyzing traffic from our network and I’m coming across some malformed packets. Before I start going capture crazy. What is a good (average) of malformed packets on a network?

Zero. :-)

Malformed packets are due to one of:

	1) a bug in the protocol implementation sending the packets;

	2) a bug in Wireshark;

3) packet reassembly being turned off, and the wrong exception being thrown when the dissector runs past the end of a non-reassembled packet;

4) a snapshot length being set, so that the packets are cut short, and the wrong exception being thrown when the dissector runs past the end of the cut-short packet.

1) shouldn't happen, because a network shouldn't have buggy protocol implementations, because buggy protocol implementations shouldn't exist. :-) Such implementations do exist, but they're probably rare.

2) shouldn't happen, because Wireshark should be free of bugs. Then again, the same can be said of most if not all pieces of software, but it's not true of most if not all pieces of software. :-(

3) shouldn't be true, as it's arguably a subcase of 2). The Wireshark infrastructure doesn't handle that as well as it should, however.

4) also shouldn't be true, as it's also arguably a subcase of 2).

What protocols are in the "malformed" packets, and what does the packet look like?