Ask Your Question
0

Is this a normal set of "expert information" reports for a home network?

asked 2022-11-30 21:43:40 +0000

MrJoe gravatar image

updated 2022-11-30 21:50:05 +0000

Hi,

I left Wireshark running, capturing on a Windows host, for 24 hours give or take. There were periods when this Windows 11 system was used for playing a computer game, surfing the web, and running the cmd line tool traceroute. What causes malformed packets such as these? Is this normal? Does wireshark have a large number of false-positives? https://i.imgur.com/QMAdrtO.png

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-12-01 06:20:37 +0000

Jaap gravatar image

The likely origin of most of these is the fact that it is not always possible to correctly identify protocols from the packets alone. Sometime heuristics need to be applied to make an educated guess about what protocol the packet is from. Then when such choice is make it can turn out further down the packet dissection that an error is observed. Is it, or was the initial assumption about the protocol wrong? We try to create these heuristics as strong as possible, but sometimes there's just very little to work with. Other errors may come from packets that were missed/dropped, hence complicate further dissection of related packets. With such long term captures, your chance of running into scenarios like this are more likely.

edit flag offensive delete link more

Comments

I'm guessing that the Windows host is using either Wi-Fi or Ethernet, rather than 802.15.4, to access the Internet, and that Wireshark was capturing on that interface.

If so, then a lot of the problem may be that Wireshark is misidentifying some packets as 802.15.4 encapsulated inside something else. It would be interesting to see a capture file with those packets; if you want us to look at that, and are willing to have the Wireshark core developers see those packets, file an issue on the Wireshark issue list and attach the capture. Mark the issue as confidential by checking the "This issue is confidential and should only be visible to team members with at least Reporter access." if you don't want the capture file to be publicly visible.

Guy Harris gravatar imageGuy Harris ( 2022-12-01 09:42:26 +0000 )edit

Yes, you are correct. The windows host is connected to the internet via WiFi and the capture was running on that interface.

There's something broken with this Windows host's networking to begin with. It worked fine when connecting to internet directly through fiber modem and an Intel X540 dual port RJ45 NIC. . The onboard 2.5G NIC was connected to an IP camera network. I then was troubleshooting another issue and brought it home to swap some hardware. I used a USB WiFi adapter to connect to my home network which has a pfSense firewall/router, and have the strangest partial connectivity. For instance, I only got internet access after starting a screen session on the router that continuously arping's the Windows workstation's manually assigned IP. If it doesn't continuously run, I'll lose internet access (and the ability to access the router) eventually. Sometimes ...(more)

MrJoe gravatar imageMrJoe ( 2022-12-01 23:04:48 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-11-30 21:43:40 +0000

Seen: 124 times

Last updated: Dec 01 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2