Wireshark-users: Re: [Wireshark-users] Redback protocol decoding error?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 14 Apr 2008 00:14:59 +0200
Hi,

Another thing you can do with your current installation is to disable the Redback dissector, keeping it from touching these packets.

Thanx,
Jaap

Sake Blok wrote:
On Sun, Apr 13, 2008 at 12:09:52PM -0400, Don Arrowsmith wrote:
[Please excuse any seemingly obvious errors in this post as I'm not a WS pro.]

I upgraded to WS v1.0.0 and noticed a packet on my LAN labeled "IP Bogus IP length (0, less than header length 20)". As I had another PC which still had WS v0.99.7, I looked at the same packet there and it says "UDP Source port: 6646 Destination port: 6646". In checking, this seems to be a broadcast packet from a McAfee network monitoring agent. I do have McAfee AV running so this is probably what it is.

Is this an error in WS 1.0.0 thinking it's a bad packet? It references a "redback" protocol in the decode which I'm pretty sure isn't anywhere on my LAN..

I've posted full text decodes:
v0.99.7 at http://eisner.decus.org/~arrowsmith/ws0997.txt and v1.0.0 at http://eisner.decus.org/~arrowsmith/ws100.txt.

I have taken a look at the full decodes and this issue resembles
another issue where the Redback dissector falsely assumed a packet
needed to be dissected by the redback dissector. Looking close
at the UDP data that you supplied, I can confirm that the bugfix
used for that bug[1] will also fix your issue.

If you want to try an automated wireshark build, you can find them
at http://www.wireshark.org/download/automated/ or else you can
wait till the next official release of wireshark.

Hope this helps,
Cheers,
    Sake

[1] http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376