Re: Malformed Packet

[Guy Harris <guy () alum mit edu>]

On Jan 10, 2013, at 11:50 PM, "Ewgenij Sokolovski" <ewgenijkkg () gmx de> wrote:

> > The reason for the "Exception occurred" error is that a dissector tried to
> > fetch data from a tvbuff but the data was past the end of the packet (not
> > just the end of the captured packet data, but past the end of the actual
> > packet length).
>
> Hmm, so does that mean that the value for packet length is wrong? Or were there no data at the place where dissector 
> looked for it, indeed?

The latter - although it really means "there is no data there *and, if this capture was done with a snapshot length 
set, there wouldn't have been data there had the capture been done without a snapshot length set*".  (If the capture 
was done with a snapshot length set, and the data would have been there had a snapshot length not been set or had the 
snapshot length been sufficiently larger, a different message is shown - that's just a problem with the capture 
process, e.g. a too-short snapshot, not a problem with the packet or the dissectors.)

What that means is that either

        1) the dissector has a bug, and shouldn't be looking there for data;

        2) the packet was bad, and should (according to the protocol specification) have had data there, but didn't;

        3) the packet would have had data there had it been reassembled from whatever fragments made it up, but 
reassembly wasn't done (either because it was disabled, or because Wireshark didn't have information needed to 
reassemble it, or Wireshark doesn't have code to reassemble it).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe