Wireshark-users: Re: [Wireshark-users] [Wireshark-announce] What is a good average for malformed
Wireshark announcements wrote:
Something that it shouldn't have written. Questions about Wireshark
should be sent to wireshark-users@xxxxxxxxxxxxx or, if you're writing a
dissector or making some other change to Wireshark's source code,
wireshark-dev@xxxxxxxxxxxxx, not to wireshark-announce@xxxxxxxxxxxxx,
which is intended only for announcements from the Wireshark team.
(Gerald, should wireshark-announce reject mail sent to it from anybody
other than "approved" people such as you?)
I’m in the process of analyzing traffic from our network and I’m coming
across some malformed packets. Before I start going capture crazy.
What is a good (average) of malformed packets on a network?
Zero. :-)
Malformed packets are due to one of:
1) a bug in the protocol implementation sending the packets;
2) a bug in Wireshark;
3) packet reassembly being turned off, and the wrong exception being
thrown when the dissector runs past the end of a non-reassembled packet;
4) a snapshot length being set, so that the packets are cut short, and
the wrong exception being thrown when the dissector runs past the end of
the cut-short packet.
1) shouldn't happen, because a network shouldn't have buggy protocol
implementations, because buggy protocol implementations shouldn't exist.
:-) Such implementations do exist, but they're probably rare.
2) shouldn't happen, because Wireshark should be free of bugs. Then
again, the same can be said of most if not all pieces of software, but
it's not true of most if not all pieces of software. :-(
3) shouldn't be true, as it's arguably a subcase of 2). The Wireshark
infrastructure doesn't handle that as well as it should, however.
4) also shouldn't be true, as it's also arguably a subcase of 2).
What protocols are in the "malformed" packets, and what does the packet
look like?