Wireshark-users: Re: [Wireshark-users] Redback protocol decoding error?

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 13 Apr 2008 19:25:28 +0200
On Sun, Apr 13, 2008 at 12:09:52PM -0400, Don Arrowsmith wrote:
> [Please excuse any seemingly obvious errors in this post as I'm not a WS pro.]
> 
> I upgraded to WS v1.0.0 and noticed a packet on my LAN labeled "IP  
> Bogus IP length (0, less than header length 20)".  As I had another 
> PC which still had WS v0.99.7, I looked at the same packet there and 
> it says "UDP  Source port: 6646  Destination port: 6646".  In 
> checking, this seems to be a broadcast packet from a McAfee network 
> monitoring agent.  I do have McAfee AV running so this is probably 
> what it is.
> 
> Is this an error in WS 1.0.0 thinking it's a bad packet?  It 
> references a "redback" protocol in the decode which I'm pretty sure 
> isn't anywhere on my LAN..
> 
> I've posted full text decodes:
> v0.99.7 at  http://eisner.decus.org/~arrowsmith/ws0997.txt and 
> v1.0.0 at http://eisner.decus.org/~arrowsmith/ws100.txt.

I have taken a look at the full decodes and this issue resembles
another issue where the Redback dissector falsely assumed a packet
needed to be dissected by the redback dissector. Looking close
at the UDP data that you supplied, I can confirm that the bugfix
used for that bug[1] will also fix your issue.

If you want to try an automated wireshark build, you can find them
at http://www.wireshark.org/download/automated/ or else you can
wait till the next official release of wireshark.

Hope this helps,
Cheers,
    Sake

[1] http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2376