Wireshark-users: Re: [Wireshark-users] OSPF Malformed Packet....

From: Kevin Cullimore <kcullimo@xxxxxxxxxx>
Date: Tue, 14 Sep 2010 18:51:55 -0400
 On 9/14/2010 5:11 PM, Jaap Keuter wrote:
On 09/14/2010 10:46 PM, Sake Blok wrote:
On 14 sep 2010, at 22:25, Stephen Fisher wrote:

On Tue, Sep 14, 2010 at 03:07:15PM -0500, Gaudineer, Kevin wrote:

All of these traces are showing that the OSPF LS update packets are
malformed.
Is it possible because of the way I did the capture that this is the
reason for the maformed packet showing?
Either that, or perhaps Wireshark isn't recognizing a valid packet
properly.  It's also possible that the entire packets aren't being
captured (a snapshot length setting), but typically that limitation is
recorded in the pcap file.
Looks like that is indeed the problem:

Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
and then in the middle of the LS details, the dissection stops...


OSPF LS packets are usually larger. So the 64 bytes on wire is quite misleading

Cheers,
Sake
... so call up Nortel and tell them to fix the pcap tool to write valid pcap
info, with real bytes on the wire values.
Isn't that kind of like suggesting that he call up Andersen to tell them to adhere to generally-accepted accounting principles or getting in touch with Enron to suggest offering energy trades in good faith?

FWIW, their pcap engine, as originally implemented within wellfleet gear, often functioned better than some competing alternatives.

Thanks,
Jaap
___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe