Re: Malformed Packet

[Martin Mathieson <martin.r.mathieson () googlemail com>]

On Mon, Jan 14, 2013 at 11:46 AM, Ewgenij Sokolovski <ewgenijkkg () gmx de>wrote:

> > For the more normal case where we try to fetch more bytes than are there,
> > I
> > don't know.  If its a protocol I'm working with I can usually quickly
> tell
> > what has gone wrong, helped by by seeing where dissection stopped.
>
>
> Hmm, I'm quite new to debugging Wireshark dissectors. So, suppose I see
> that my dissector stops at point X. The only way to find out what the
> reason is is to look at the values displayed by Wireshark, compare them
> with values which were sent in the reality and find the point where
> dissection went wrong then. Do I understand it right?
If I see that its malformed in the info column, then I'll look what follows
the last thing that was dissected and check its length.  Usually its an
obvious blunder, such as:
- the offset into the tvb wasn't advanced correctly from previous fields
- a misread length field
- using a field that is too wide, or passing in a bad length when adding
the item to the tree

I'm not above adding a few temporary printf()s to check that the code is
working properly.  And sometimes I'll run in the debugger (either with
breakpoints, or just to have it there to catch any crashes) until it works
well.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe