Ask Your Question

Frames are undecoded and have funny bytes in header

asked 2023-01-06 06:40:02 +0000

vdh gravatar image

This is a WIN 10 installation. I'm getting frames from npcap with the capture filter "udp port 23456" when I send UPD messages to port 23456. I can also sniff the UDP packets with "packet sender"-app. But on the Wireshark GUI they are not decoded and the raw frame data shown seems to have the correct UDP data part but the Ip header has several additional bytes. I have completely uninstalled Wireshark and npcap and reinstalled it fresh with the newest version several times now. nothing changes. I'v tried several LAN and WLAN ports - all the same. I do not receive any decoded frames at all. Just these funny frames without decoding. I'm lost...

    0000   ff ff ff ff ff ff 08 b6 1f 29 98 74 08 00 45 00   .........).t..E.
    0010   00 26 00 22 00 00 ff 11 48 db c0 a8 b2 21 ff ff   .&."....H....!..
    0020   ff ff 30 39 5b a0 00 12 02 25 00 01 ff 00 00 00   ..09[....%......
    0030   00 00 00 00 00 00 00 00 00 00 00 00               ............

UDP payload data is 10 bytes: 00 01 ff 00 00 00 00 00 00 00

In the GUI there is only data in columns "Time" and "length". No source, no destination, no protocol. The protocol s are active as per default after installation.

edit retag flag offensive close merge delete


Importing this text shows a perfectly normal UDP packet to me, so it may be something you haven't tweaked yet. What happens if you select a different profile?

Jaap gravatar imageJaap ( 2023-01-06 06:48:51 +0000 )edit

Jaap, that idea saved me. Thanks so much for posting it!!!

When switching from the default to the classic profile, I suddenly get my packet decoded. But this brings up three new questions:

  1. Why does a complete uninstallation under Win 10 NOT delete the profile and keeps it in the new installation?
  2. How can I get my system back to an ordinary default profile as given by a plain new installation?
  3. What can be wrong in the default profile's configurations to give such a disastrous result (I'ld love to upload a screenshot but the system expects 60 point credits for me to be able to upload files)?

Funny enough this result: I deleted the profile's directory to get back the correct default configuration. But when closing and restarting Wireshark I get the same result: the default profile does not show any decoding while the classic profile does ...(more)

vdh gravatar imagevdh ( 2023-01-06 09:02:06 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2023-01-06 18:39:40 +0000

Jaap gravatar image

(to round this one out) The problem stems from a misconfiguration which ended up in the default profile. Restoring the original default profile solves this problem. Possibly a disable of the UDP dissector would cause this.

edit flag offensive delete link more


Thanks for this summary! Where can one find the configuration to disable the UDP dissector?

vdh gravatar imagevdh ( 2023-01-06 19:45:53 +0000 )edit
  1. Via the context menu of the protocol in the packet details paine
  2. Via the menu Analyze | Enabled Protocols
Jaap gravatar imageJaap ( 2023-01-06 22:53:46 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-01-06 02:26:13 +0000

Seen: 200 times

Last updated: Jan 06 '23