Wireshark-users: Re: [Wireshark-users] Why do I get so many malformed packets

From: János Löbb <janos.lobb@xxxxxxxx>
Date: Mon, 22 Mar 2010 14:01:03 -0400

On Mar 20, 2010, at 2:51 PM, Bill Meier wrote:

János Löbb wrote:
Two days ago I did another capture.  The capturing PC is a VmWare
virtual machine on my Macintosh running Windows XP with Service pack 3. The version of WireShark is 1.2.6. At this time from the 1677 packets
captured 1527 erred out and had 59 warnings.

I attache the capture file.

What could have been the cause of so many malformed packets ?

I did the same test today at about the same time and found no errors or
warnings.  Very puzzling.  I attache the file from today too.



The short answer: In the first capture file many/most frames are missing
the last 4 bytes.

Did you do the two captures in exactly the same way ??

I've no idea why the first capture has many frames with missing bytes.

Something to do with capturing under VMWare ??

Some kind of issue wherein something in the capture path thought the
last 4 bytes were an ethernet FCS and removed them ??


(Maybe someone else (Guy Harris ?) can provide additional insight).


Hi Bill,

Yes I did the the two captures the same way. I planned to use wireshark on the Macintosh side but for some reason Wireshark was unable to find the NIC card, so I had to do from the VMWare PC side. I will send a separate message with another topic on it.

I vaguely remember seeing an error message when I logged into Windows, like IOQ or IOP or IOR failed, but unfortunately I did not make a screenshot. The machine was sluggish and slowed down from the GUI point of view

On the March 18th capture - same computer, same wall plate, same switch and port, same patch cable, I did not see any error message as I logged into windows and did the capture. At this time I have not experienced any sluggishness.

Thanks,

János