Wireshark · Wireshark-users: Re: [Wireshark-users] Malformed Packet

[Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>]

On Mon, Jan 14, 2013 at 11:46 AM, Ewgenij Sokolovski <ewgenijkkg@xxxxxx> wrote:

> For the more normal case where we try to fetch more bytes than are there,
> I
> don't know.  If its a protocol I'm working with I can usually quickly tell
> what has gone wrong, helped by by seeing where dissection stopped.

Hmm, I'm quite new to debugging Wireshark dissectors. So, suppose I see that my dissector stops at point X. The only way to find out what the reason is is to look at the values displayed by Wireshark, compare them with values which were sent in the reality and find the point where dissection went wrong then. Do I understand it right?

If I see that its malformed in the info column, then I'll look what follows the last thing that was dissected and check its length.  Usually its an obvious blunder, such as:

- the offset into the tvb wasn't advanced correctly from previous fields

- a misread length field

- using a field that is too wide, or passing in a bad length when adding the item to the tree

I'm not above adding a few temporary printf()s to check that the code is working properly.  And sometimes I'll run in the debugger (either with breakpoints, or just to have it there to catch any crashes) until it works well.