This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

FC malformed packet - no source addr or dest addr. All zeros

0
1

Have you seen this issue? How should I proceed to troubleshoot this issue?

asked 28 Aug '13, 09:35

dtootle's gravatar image

dtootle
11122
accept rate: 0%


One Answer:

0

Is this a real FC frame, or do you just think it is a FC frame, because Wireshark show FC as protocol?

Wireshark shows frames with an ethertype of 0 as FC. See Bug 8256

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8256

So, this could be just a malformed ethernet frame (lots of zeros at the beginning - maybe caused by a broken NIC) and Wireshark shows it as FC.

Is it possible to post a sample capture file (Google Drive, Dropbox, etc.)?

How should I proceed to troubleshoot this issue?

First I suggest to figure out if it it makes sense to see a FC (over Ethernet) frame on the link where you captured the traffic.

  • If it makes sense: You need to figure out where the frame was originated. Take a look at the rest of the frame and check if there are any 'known' byte sequences that might help.
  • If it makes no sense: It could be just a damaged ethernet frame and Wireshark shows it as FC (see bug above). In that case you need to find the broken NIC/switch port that generated the packet.

Regards
Kurt

answered 28 Aug '13, 10:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you so much. I would like to upload a capture but do not have Google Drive or Dropbox - anything options?

(28 Aug '13, 10:34) dtootle

There is also http://cloudshark.org

HINT: You cannot (later) delete an uploaded file, so please just upload files without any sensitive information!

Otherwise, please use one of those (free) online file hosters like https://mega.co.nz/ (or others)

(28 Aug '13, 10:44) Kurt Knochner ♦