Wireshark-users: Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Sat, 07 Oct 2006 17:21:42 +1000
LDB wrote:
> Within Ethereal I am detecting a malformed packet coming
> from a Putty SSH Client using version 0.52. Could my users
> have downloaded a tainted version of Putty?

Does PuTTY think it is malformed? My observation is that this usually
happens tunnelling an X client. PuTTY pops up an error dialog, closes
the connection and the X client then proceeds to crash.

What version of Windows is this? I see it quite often on NT, but not on
XP with the same binaries compiled with MSVC7. (To add some options not
included in the standard version.)

> Also, why does Ethereal consider it a malformed packet from SSH?

Because it might be malformed, or contains encodings Ethereal/WireShark
does not expect.

As suggested a capture trace might help, including the "malformed"
packet(s), but if you can produce a small complete session exhibiting
the error it might be more helpful.

I would have done this before, but since I have not been able to get
WinPCAP working on Token Ring for months, I haven't.

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who