Wireshark-users: Re: [Wireshark-users] How do I use a display filter to find Malformed packets
On Dec 12, 2006, at 5:21 AM, Hal Lander wrote:
I am missing the obvious here.
"malformed" seems to be a protocol.
...as the entries for that (which are typically cases where the packet
is shorter than it's supposed to be) are at the top level of the
protocol display, and those entries are generally done as protocols.
If I type "malformed" (without quotes) in the filter box I get no
packets displayed.
However if I examine individual packets then the middle pane shows
packets that have a red line and [Malfomed Packet: foo]
The only place I see where, in standard Wireshark, you'd get
"[Malformed Packet: <protocol name>]", that entry is an entry for the
"malformed" protocol.
However, if the "foo" to which you're referring really is "foo" (in
which case it's an add-on dissector not part of Wireshark, as
Wireshark doesn't come with a dissector for a protocol named "foo"),
perhaps the "foo" dissector is putting an entry into the protocol tree
that looks like that but that isn't for the "malformed" protocol.
I am also not too clear on how display filtering works in general.
The middle pane has a column called "Protocol" which has entries for
"UDP" (all upper case) and "foo" (all lower case) if I type UDP in
the filter in upper case Wireshark does not like it, but lower case
seems to work.
Filters are, for better or worse, case-sensitive (I'm not sure they
should be, for field and protocol names; making them case-insensitive
would mean you couldn't, for example, distinguish between protocols
called "foo", "Foo", and "FOO", but, frankly, if that's all you have
to distinguish them, somebody screwed up, and better names, which
differ in more than just case, should be chosen).
Requiring that "UDP" be typed is burdensome, so, for better or worse,
the filter for UDP is "udp"; "UDP" is what's displayed in the protocol
field, because that's generally how it's referred to.
(Again, I'd vote for making protocol and field name matching case-
insensitive.)
Typing foo fails in both upper and lower case. Does that mean the
"foo" protocol has not been registered properly, is so why does it
appear in the protocol column?
Probably because whoever wrote the "foo" dissector decided to use
different names in the Protocol column in the summary pane and when
registering the protocol. Currently, the two are set completely
independently; there are cases where that's useful, but it might be
nice if the Protocol column could be set by default to the "short
name" of the protocol. (Protocols have a long descriptive name, e.g.
"User Datagram Protocol", a short name, e.g. "UDP", and a filter name,
e.g. "udp".)
When you say "foo", do you literally mean "foo", or is this some other
protocol or protocols you're referring to? If so, are they ones with
a dissector that comes with Wireshark (in which case, what protocol or
protocols are they?) or are they add-ons?
