Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] OSPF Malformed Packet....

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 15 Sep 2010 07:54:01 +0200
On 09/15/2010 12:51 AM, Kevin Cullimore wrote:
   On 9/14/2010 5:11 PM, Jaap Keuter wrote:
On 09/14/2010 10:46 PM, Sake Blok wrote:
On 14 sep 2010, at 22:25, Stephen Fisher wrote:

On Tue, Sep 14, 2010 at 03:07:15PM -0500, Gaudineer, Kevin wrote:

All of these traces are showing that the OSPF LS update packets are
malformed.
Is it possible because of the way I did the capture that this is the
reason for the maformed packet showing?
Either that, or perhaps Wireshark isn't recognizing a valid packet
properly.  It's also possible that the entire packets aren't being
captured (a snapshot length setting), but typically that limitation is
recorded in the pcap file.
Looks like that is indeed the problem:

Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
and then in the middle of the LS details, the dissection stops...


OSPF LS packets are usually larger. So the 64 bytes on wire is quite misleading

Cheers,
Sake
... so call up Nortel and tell them to fix the pcap tool to write valid pcap
info, with real bytes on the wire values.
Isn't that kind of like suggesting that he call up Andersen to tell them
to adhere to generally-accepted accounting principles or getting in
touch with Enron to suggest offering energy trades in good faith?

FWIW, their pcap engine, as originally implemented within wellfleet
gear, often functioned better than some competing alternatives.


Well, that's a whole other story, which ends with using OSS.
That's how I got stuck with Wireshark; didn't like something and got it fixed.

Thanks,
Jaap