Mailing List Archive

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

brent wrote:

> Im trying to locate a trouble in our network and have done a capture on
> a device using mirror ports of a device. We are getting MALFORMED
> PACKETS on every packet sent from a device on our network. IS this
> caused by the mirror port ? or is this a actual failure of the device ?
> or wireshark?

It could, in theory, be any of the above.

I'd suggest upgrading to the latest version of Wireshark:

http://www.wireshark.org/download.html

in case it's due to a bug that's been fixed in later versions of
Wireshark, and, if you still see the problem, export as plain text (with
packet details and packet bytes) one of the packets that show up as a
malformed frame, and also save the packet in question to a file (i.e.,
save it as a one-packet capture file), so we can look at the packet and
see where the problem might be, and send a message to the
wireshark-users list:

http://www.wireshark.org/lists/

with the text of the packet and the one-packet capture file.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

brent wrote:

> No. Time Source Destination Protocol
> Info SRC DEST
> 1 0.000000 10.1.1.247 10.1.198.111 UDP
> Source port: 5100 Destination port: 5000[Malformed Packet] 5100 5000
>
> Frame 1 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Intel_a7:4e:3f (00:0e:0c:a7:4e:3f), Dst: Cisco_5e:97:00
> (00:0a:f4:5e:97:00)
> Internet Protocol, Src: 10.1.1.247 (10.1.1.247), Dst: 10.1.198.111
> (10.1.198.111)
> User Datagram Protocol, Src Port: 5100 (5100), Dst Port: 5000 (5000)
> Cross Point Frame Injector
> [Malformed Packet: CPFI]

Unless you have, on your network, a piece of equipment from Compunter
Network Technology (CNT) or McData (CNT was bought by McData in 2005)
that transports Fibre Channel data over UDP, the problem is almost
certainly that the dissector for CNT's Cross Point Frame Injector
protocol is being called for packets that *aren't* CPFI packets.

That's an inherent problem with dissecting protocols running over TCP or
UDP - there's no guarantee that a given port is being used by a given
protocol. You could try disabling the CPFI dissector by going to
Analyze -> Enabled Protocols and un-checking the entry for Cross Point
Frame Injector.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users