Wireshark-users: Re: [Wireshark-users] OSPF Malformed Packet....

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 14 Sep 2010 22:46:41 +0200
On 14 sep 2010, at 22:25, Stephen Fisher wrote:

> On Tue, Sep 14, 2010 at 03:07:15PM -0500, Gaudineer, Kevin wrote:
> 
>> All of these traces are showing that the OSPF LS update packets are 
>> malformed.
> 
>> Is it possible because of the way I did the capture that this is the 
>> reason for the maformed packet showing?
> 
> Either that, or perhaps Wireshark isn't recognizing a valid packet 
> properly.  It's also possible that the entire packets aren't being 
> captured (a snapshot length setting), but typically that limitation is 
> recorded in the pcap file.

Looks like that is indeed the problem:

Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
and then in the middle of the LS details, the dissection stops...


OSPF LS packets are usually larger. So the 64 bytes on wire is quite misleading

Cheers,


Sake