tcpdump display/decode bug?

[Stephen Donnelly <stephen () endace com>]

I recently came across some packets which tcpdump appears to display
incorrectly.

Is tcpdump incorrectly invoking some heuristic dissector, or is there
another reason?

$ tcpdump -n -r tcpdump-error.pcap
reading from file tcpdump-error.pcap, link-type EN10MB (Ethernet)
08:35:24.570337 vlan 506, p 0, IP 10.143.146.4.22966 > 10.36.62.45.7098:
UDP, length 311
08:35:24.570387 vlan 179, p 0, IP 85.254.4.128 > 223.117.196.0: at-#182
673
08:35:24.570393 vlan 506, p 0, IP 85.254.4.128 > 223.117.196.0: at-#182
673
08:35:24.570399 vlan 179, p 0, IP 10.143.146.4.31200 > 10.36.69.80.6988:
UDP, length 189

$ tshark -n -r tcpdump-error.pcap
  1   0.000000 10.143.146.4 -> 10.36.62.45  UDP Source port: 22966
Destination port: 7098
  2   0.000050 10.143.146.4 -> 10.36.53.122 UDP Source port: 8756
Destination port: 16622
  3   0.000056 10.143.146.4 -> 10.36.53.122 UDP Source port: 8756
Destination port: 16622
  4   0.000062 10.143.146.4 -> 10.36.69.80  UDP Source port: 31200
Destination port: 6988

$ tcpdump -V
tcpdump version 3.9.8
libpcap version 0.9.8

$ tshark -v
TShark 1.0.99 (SVN Rev 25740)

Compiled with GLib 2.16.3, with libpcap 0.9-PRE-CVS, with libz 1.2.3.3,
with
POSIX capabilities (Linux), with libpcre 7.4, without SMI, with ADNS,
without
Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos.

Running on Linux 2.6.24-12-generic, with libpcap version 0.9-PRE-CVS.

Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).


Any assistance appreciated.

Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.