Good morning,

When analyzing a trace I found this message for more I look online I find esponse to what is past, and if the error is real or not. Can you help?

[Malformed Packet: TDS] Expert Info (Error/Malformed): Malformed Packet (Exception occurred) Message: Malformed Packet (Exception occurred) Severity level: Error Group: Malformed I have, Windows Server 2003 and SQL Server 2005. Thanks.

asked 13 Apr '11, 01:30

dagonpal's gravatar image

dagonpal
1112
accept rate: 0%

edited 13 Apr '11, 01:34


Wireshark thinks the packet is malformed. This could be because it really is malformed. A few possible reasons might be because the snaplen causes the packet to be truncated during capturing, or the packet could have been malformed originally by the sender. The packet could have become corrupted in transit or intentionally by a fuzz-tester, for example. On the other hand, the packet could be just fine and it's incorrectly being reported as malformed due to a bug in the Wireshark TDS dissector.

link

answered 13 Apr '11, 09:04

cmaynard's gravatar image

cmaynard ♦
5.8k725100
accept rate: 17%

OK, I understand, but, how do I know if I can truly be a malformed packet or a packet is correct?

(14 Apr '11, 00:02) dagonpal

Well, that requires some knowledge of both the protocol and the dissector itself. Here are some links to documents that might help you out:

If, after some examination, you think the TDS dissector is somehow flawed, you might want to open a bug report and upload your sample capture file to it.

(14 Apr '11, 07:56) cmaynard ♦

OK perfect, thank´s.

(18 Apr '11, 07:27) dagonpal

(I converted your "answer" to a "comment", that's the way this Q&A site works best, see also the FAQ. Please also accept an "answer" by clicking on the checkmark next to it if it did indeed answer your question so that your question will not be listed on the unanswered questions list anymore)

(18 Apr '11, 13:07) SYN-bit ♦♦

In addition to the possibilities Chris Maynard suggested, the TDS dissector tries to detect TDS traffic not to or from ports 1433 or 2433 by looking at otherwise-unidentified TCP traffic to see if it looks like TDS traffic; this could result in incorrectly identifying non-TDS traffic as TDS and reporting it as malformed TDS traffic.

link

answered 15 Apr '11, 09:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
11.0k226140
accept rate: 17%

edited 15 Apr '11, 09:36

I had the same problem looking at a pcap from SQL Server and then I saw the hardware was Itanium. I changed it to big endian in the TDS protocol settings and everything parsed ok. Just noting it in case you have the same problem.

link

answered 11 Sep '11, 20:28

cfed's gravatar image

cfed
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×25
×6

Asked: 13 Apr '11, 01:30

Seen: 33,294 times

Last updated: 24 Nov '12, 09:46

powered by OSQA