Wireshark-dev: Re: [Wireshark-dev] Deciding a packet as malformed entity

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 6 Nov 2011 19:04:43 -0800
On Nov 6, 2011, at 6:47 PM, Krishnamurthy Mayya wrote:

>   When we use a new module which we have written and add it to the wireshark and then test using a captured <pcap> file if some packets are decoded properly and the others coming malformed listing the protocol name which we have not even touched, what shall we conclude??? Is the captured file problem or the included module problem??

Those are not the only possibilities.

A third possibility is "the dissector for the protocol in question has a bug".

What happens if you read the capture file with a version of Wireshark that does *NOT* have your new module?  Does it report the same packets as being malformed?  If so, it's obviously not a problem with your new module.

>   OR
>   what are the possible situations when you conclude that packet captured itself is not proper?? (By 'positively' assuming that the plugin is causing any problem).

The most common such situation is when the dissector tries to read some packet data, because it expects the data to be there, but it's not there (not because the packet was cut short by a snapshot length, but because the data isn't there at all).  That could be because the data is supposed to be there but isn't (i.e., the packet really is malformed), or because the dissector is expecting it to be there but shouldn't be (i.e., the dissector has a bug).