Wireshark-users: Re: [Wireshark-users] [Wireshark-announce] What is a good average for malformed
From: Guy Harris <[email protected]>
Date: Mon, 09 Jun 2008 23:26:53 -0700
Wireshark announcements wrote:

Something that it shouldn't have written. Questions about Wireshark should be sent to [email protected] or, if you're writing a dissector or making some other change to Wireshark's source code, [email protected], not to [email protected], which is intended only for announcements from the Wireshark team. (Gerald, should wireshark-announce reject mail sent to it from anybody other than "approved" people such as you?)
I’m in the process of analyzing traffic from our network and I’m coming across some malformed packets. Before I start going capture crazy. What is a good (average) of malformed packets on a network?
Zero. :-)

Malformed packets are due to one of:

	1) a bug in the protocol implementation sending the packets;

	2) a bug in Wireshark;

3) packet reassembly being turned off, and the wrong exception being thrown when the dissector runs past the end of a non-reassembled packet;
	4) a snapshot length being set, so that the packets are cut short, and 
the wrong exception being thrown when the dissector runs past the end of 
the cut-short packet.
1) shouldn't happen, because a network shouldn't have buggy protocol 
implementations, because buggy protocol implementations shouldn't exist. 
:-)  Such implementations do exist, but they're probably rare.
2) shouldn't happen, because Wireshark should be free of bugs.  Then 
again, the same can be said of most if not all pieces of software, but 
it's not true of most if not all pieces of software. :-(
3) shouldn't be true, as it's arguably a subcase of 2).  The Wireshark 
infrastructure doesn't handle that as well as it should, however.
4) also shouldn't be true, as it's also arguably a subcase of 2).

What protocols are in the "malformed" packets, and what does the packet look like?