Ask Your Question
0

Protocol Preferences change on accident

asked 2023-03-17 16:05:42 +0000

wwwillster07 gravatar image

I'm looking at a capture of a web server that connects to a database server, which has a bunch of Malformed Packet:TDS entries. There's lots on line about this issue.

But somewhere along the line I changed a setting in my Wireshark instance and I'm not sure what I did nor how to undo it.

If I right click on the Malformed Packet:TDS and go to Protocol Preferences> I no longer see a list of options, instead the submenu that opens is grayed out with two options: Malformed packet has no preferences Disable malformed packet

But as I mentioned that's just greyed out. I have several profiles and it doesn't appear to be profile specific since it's the same with each. And maybe it's not a default...but at some point I was able to right click >Protocol Preferences> and there was a list of options, like setting the TDS version which I did to 7.4 since the SQL server is 2019, thought that might help me determine why we had these packets.

But this issue isn't even about the TDS packets, I just wanna know what I did to change that menu item :)

Thanks in advance

edit retag flag offensive close merge delete

Comments

Just one quick thing to add, Edit Preferences>Protocol>TDS contains some of the items I'm referring to that at one point existed on the right click menu...

wwwillster07 gravatar imagewwwillster07 ( 2023-03-17 16:19:53 +0000 )edit

It helps if you include the Wireshark version (output of wireshark -v or Help->About Wireshark:Wireshark) in the question. And also if it's different versions on the different systems.
Probably the most important question is if you put ketchup on your eggs?

Chuckc gravatar imageChuckc ( 2023-03-17 18:48:12 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-03-17 21:29:36 +0000

Chuckc gravatar image

For the sample capture attached to 14110: TDS (Tabular Data Stream) and SMP (SMUX) protocols misdissected in captures with MARS enabled, if the TDS reassembly preferences are unchecked:

image description

it causes many Malformed TDS expert info entries:

image description

Frame 1038 (Exception occurred) type messages are common when the dissector asks for more data than is available. The dissector asked but it's the main Wireshark memory management that flagged it as a Malformed Packet so there are no dissector preferences to set.

[Malformed Packet: TDS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

image description

The Expert Info added in frame 155 was added by the TDS dissector so the preference menu can be reached.

Hostname length: 40
    [Expert Info (Error/Malformed): Invalid hostname length (40)]
        [Invalid hostname length (40)]
        [Severity level: Error]
        [Group: Malformed]

image description

edit flag offensive delete link more
0

answered 2023-03-17 16:26:26 +0000

wwwillster07 gravatar image

Egg on my face. Perhaps the right click menu i'm referring to is on the Tabular Data Stream header...Went to another box where I know nothing was changed in Wireshark and the right click menu on the TDS malformed packet was the same. Which got me poking around a bit. So back to figuring out why my TDS streams all appear to be malformed......

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-17 16:05:42 +0000

Seen: 462 times

Last updated: Mar 17 '23