> I am using V0.8.18, WinPcap 2.1, on a WIN2K Server acting as a VPN router.
> Whenever I capture packets on the "external" NIC (connected to the internet
> via SDSL) all of the GRE packets show "Encapsulated PPP [Malformed Frame] in
> the Info column of the capture display. VPN is working properly between the
> two sites.
This means that the dissector is trying to dissect data past the end of
the frame.
This could mean that
1) the frame was not put correctly on the wire;
2) the frame is part of a fragmented IP datagram (GRE runs
inside IP, so if a GRE-encapsulated frame, plus the GRE
header, plus the IP header, plus the link-layer header, is
larger than the maximum frame size of the medium on which the
packet is being transmitted, the frame will be fragmented);
3) there's a bug in some dissector;
4) some other problem exists.
To eliminate problem 2), try
selecting the "Preferences" item from the "Edit" menu;
selecting the "IP" tab in the dialog box that pops up;
turning the "Reassemble fragmented IP datagrams" option on (this
isn't a Windows-style checkbox, in the default GTK+ theme in
that version of GTK+, so "on" is indented rather than checked);
click "OK";
Ethereal should then reassemble fragmented IP datagrams.
If the frames are still reported as malformed, we'd have to see the
capture in order to see what the problem is.
