Ask Your Question

Why am I getting "Malformed Packets" when analyzing USB CDC if they are correct?

asked 2018-03-30 20:41:17 +0000

m4l490n gravatar image

I'm experiencing something confusing. I'm getting Malformed Packets on the log window but they are perfectly fine. These supposedly malformed packets reach the device just fine and the device responds fine as well, so there is nothing wrong with the packets. I'm sniffing a very simple CDC device and I'm sending a 0x30, 0x30, 0x0a from the host terminal.

I'm getting the malformed packets if I start a session and the plug my device. But if the device is already plugged in and I restart the session I no longer get the malformed packets. Everything seems to work just fine.

I noticed some discrepancies on how Wireshark report the packets on both scenarios. When the packet is reported as malformed, I noticed that the Protocols in frame field contains:

[Protocols in frame: usb:usb:com:eth]

But when it works fine then this same field contains:

[Protocols in frame: usb]

Additionally, I noticed that further down the field bInterfaceClass field contain the following when the packet is supposedly malformed:

[bInterfaceClass: CDC-Data (0x0a)]

And contains the following when the packets are reported fine:

[bInterfaceClass: Unknown (0xffff)]

Here is strange because it seems that the correct contents of this field, when the packet is not reported as malformed, should be CDC-Data, but I guess that is part of the problem.

Finally, if I compare the bytes in the packet window I can see that everything matches perfectly, (with exception of URB id, URB sec, and URB usec obviously) and even the 0x30, 0x30, 0x0a sent are there in both cases.

Is this a bug or should I configure something differently?

edit retag flag offensive close merge delete


We'll probably have to see the capture to determine what the issue is. You might want to file a bug on the Wireshark Bugzilla, and attach the capture to it.

Guy Harris gravatar imageGuy Harris ( 2018-03-31 02:33:56 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-05-31 11:28:14 +0000

Wireshark is probably getting confused by something in the packet and it is utilising the wrong dissector. I would try disabling every protocol under Analyze->Enabled Protocols and only re-enabling the USB ones that you expect are the right ones.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-03-30 20:41:17 +0000

Seen: 1,293 times

Last updated: May 31