Why am I getting "Malformed Packets" when analyzing USB CDC if they are correct?

asked 2018-03-30 20:41:17 +0000

m4l490n gravatar image

I'm experiencing something confusing. I'm getting Malformed Packets on the log window but they are perfectly fine. These supposedly malformed packets reach the device just fine and the device responds fine as well, so there is nothing wrong with the packets. I'm sniffing a very simple CDC device and I'm sending a 0x30, 0x30, 0x0a from the host terminal.

I'm getting the malformed packets if I start a session and the plug my device. But if the device is already plugged in and I restart the session I no longer get the malformed packets. Everything seems to work just fine.

I noticed some discrepancies on how Wireshark report the packets on both scenarios. When the packet is reported as malformed, I noticed that the Protocols in frame field contains:

[Protocols in frame: usb:usb:com:eth]

But when it works fine then this same field contains:

[Protocols in frame: usb]

Additionally, I noticed that further down the field bInterfaceClass field contain the following when the packet is supposedly malformed:

[bInterfaceClass: CDC-Data (0x0a)]

And contains the following when the packets are reported fine:

[bInterfaceClass: Unknown (0xffff)]

Here is strange because it seems that the correct contents of this field, when the packet is not reported as malformed, should be CDC-Data, but I guess that is part of the problem.

Finally, if I compare the bytes in the packet window I can see that everything matches perfectly, (with exception of URB id, URB sec, and URB usec obviously) and even the 0x30, 0x30, 0x0a sent are there in both cases.

Is this a bug or should I configure something differently?

edit retag flag offensive close merge delete


We'll probably have to see the capture to determine what the issue is. You might want to file a bug on the Wireshark Bugzilla, and attach the capture to it.

Guy Harris gravatar imageGuy Harris ( 2018-03-31 02:33:56 +0000 )edit