Wireshark-users: Re: [Wireshark-users] How do I use a display filter to find Malformed packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 12 Dec 2006 14:01:28 -0800

On Dec 12, 2006, at 5:21 AM, Hal Lander wrote:

I am missing the obvious here.

"malformed" seems to be a protocol.

...as the entries for that (which are typically cases where the packet is shorter than it's supposed to be) are at the top level of the protocol display, and those entries are generally done as protocols.

If I type "malformed" (without quotes) in the filter box I get no packets displayed. However if I examine individual packets then the middle pane shows packets that have a red line and [Malfomed Packet: foo]

The only place I see where, in standard Wireshark, you'd get "[Malformed Packet: <protocol name>]", that entry is an entry for the "malformed" protocol.

However, if the "foo" to which you're referring really is "foo" (in which case it's an add-on dissector not part of Wireshark, as Wireshark doesn't come with a dissector for a protocol named "foo"), perhaps the "foo" dissector is putting an entry into the protocol tree that looks like that but that isn't for the "malformed" protocol.

I am also not too clear on how display filtering works in general.
The middle pane has a column called "Protocol" which has entries for "UDP" (all upper case) and "foo" (all lower case) if I type UDP in the filter in upper case Wireshark does not like it, but lower case seems to work.

Filters are, for better or worse, case-sensitive (I'm not sure they should be, for field and protocol names; making them case-insensitive would mean you couldn't, for example, distinguish between protocols called "foo", "Foo", and "FOO", but, frankly, if that's all you have to distinguish them, somebody screwed up, and better names, which differ in more than just case, should be chosen).

Requiring that "UDP" be typed is burdensome, so, for better or worse, the filter for UDP is "udp"; "UDP" is what's displayed in the protocol field, because that's generally how it's referred to.

(Again, I'd vote for making protocol and field name matching case- insensitive.)

Typing foo fails in both upper and lower case. Does that mean the "foo" protocol has not been registered properly, is so why does it appear in the protocol column?

Probably because whoever wrote the "foo" dissector decided to use different names in the Protocol column in the summary pane and when registering the protocol. Currently, the two are set completely independently; there are cases where that's useful, but it might be nice if the Protocol column could be set by default to the "short name" of the protocol. (Protocols have a long descriptive name, e.g. "User Datagram Protocol", a short name, e.g. "UDP", and a filter name, e.g. "udp".)

When you say "foo", do you literally mean "foo", or is this some other protocol or protocols you're referring to? If so, are they ones with a dissector that comes with Wireshark (in which case, what protocol or protocols are they?) or are they add-ons?