Wireshark-users: Re: [Wireshark-users] Question on Ethereal

From: "Anders Broman \(AL/EAB\)" <anders.broman@xxxxxxxxxxxx>
Date: Fri, 16 Feb 2007 16:10:06 +0100
Hi,
Note that "Malformed packet" can have at least two reasons:
- The packet is malformed
- The dissector of the protocol has a bug
 
 
If you save the ´"Malformed packet" to file and try to open it in the latest version of Wireshark 0.99.5 does it show up
as malformed then? ( Bugs in the dissector may have been fixed).
 
If it's still showing as Malformed can you post the packet? 
 
BR
Anders

________________________________

Från: wireshark-users-bounces@xxxxxxxxxxxxx genom John Burnley
Skickat: fr 2007-02-16 15:55
Till: wireshark-users@xxxxxxxxxxxxx
Ämne: [Wireshark-users] Question on Ethereal



I know this list is for Wireshark but I've seen a few posts/questions on ethereal and tethereal.  I'm having some compile problems with Wireshark on a SUSE Linux box but I'll save that for a later time (I still have a few things to try).  However, I currently have a bigger fish to fry so I have to continue using Ethereal. 

I'll be the first to admit that I'm rather green when it comes to network diagnostics so please bear with the rookie questions.  I'm having trouble with a AJP13 connection between a linux server running Apache2 (mod_jk) and a Windows Server 2003 box running Tomcat.  The connection looks to be hanging so we have been running Ethereal to look at the packets.  The problem is intermittent with no specific sequence of events that can be found to recreate it.

After running several ethereal 'sessions' at various location between the Apache server and the Tomcat server we can see that when the problem occurs no packets are reaching the Tomcat box.  When the sniffer is placed between the linux box and the first switch in the physical route it shows the AJP13 packets as being malformed.  My guess is that the invalid packets never get forwarded on.  At the same time I've been running Ethereal on the Apache (linux) server so I could monitor if any responses were received from the Windows (Tomcat) server.  There are never any packet errors on the same packets that the external Ethereal sniffer complains about.  The packet bytes pane also shows the data portion of the packets captured on the linux (Apache) box and external sniffer to be exactly the same.  During this time there are not any other communication issues with the linux server (remote SSH X sessions etc). 

My question is at what point on the linux (Apache) server does Ethereal capture the packets?  Is there a way to display the detailed control information that is invalid?  I'm basically trying to pinpoint where the corruption may be occurring. 

Thanks in advance.



"CONFIDENTIALITY NOTICE: This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed.  Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited.  If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message."
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


<<winmail.dat>>