On Sun, Apr 13, 2008 at 12:09:52PM -0400, Don Arrowsmith wrote:
> [Please excuse any seemingly obvious errors in this post as I'm not a WS pro.]
>
> I upgraded to WS v1.0.0 and noticed a packet on my LAN labeled "IP
> Bogus IP length (0, less than header length 20)". As I had another
> PC which still had WS v0.99.7, I looked at the same packet there and
> it says "UDP Source port: 6646 Destination port: 6646". In
> checking, this seems to be a broadcast packet from a McAfee network
> monitoring agent. I do have McAfee AV running so this is probably
> what it is.
>
> Is this an error in WS 1.0.0 thinking it's a bad packet? It
> references a "redback" protocol in the decode which I'm pretty sure
> isn't anywhere on my LAN..
>
> I've posted full text decodes:
> v0.99.7 at http://eisner.decus.org/~arrowsmith/ws0997.txt and
> v1.0.0 at http://eisner.decus.org/~arrowsmith/ws100.txt.
I have taken a look at the full decodes and this issue resembles
another issue where the Redback dissector falsely assumed a packet
needed to be dissected by the redback dissector. Looking close
at the UDP data that you supplied, I can confirm that the bugfix
used for that bug[1] will also fix your issue.
If you want to try an automated wireshark build, you can find them
at http://www.wireshark.org/download/automated/ or else you can
wait till the next official release of wireshark.
Hope this helps,
Cheers,
Sake
[1] http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376
