This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IPP request [Malformed Packet]

0

Hello,

I have this problem. When I'm capturing my wlan0 interface with Wireshark(I'm sending print job with IPP protocol), IPP comunication is normal except sending print job (all requests/responses are normal (Get-Job-Attributes, Get-Printer-Attributes, Create-Job) except sending data file (print job)). I can't see (in this entry) content of the print job, version of IPP is 90.100, Operation-id: Unknown (0x656c) and Request ID: 1869894446. I have in Wireshark more then 20 entries like this (IPP request [Malformed Packet] entries with these wrong values).

Wireshark says: Expert Info (Error/Malformed): Malformed Packet (exception occured) Message: Malformed Packet (Exception Occured) Severity level: Error Group: Malformed

I want to see content of the print job bud I can't. I don't understand where's the problem that the IPP request is malformed. Could you help me please? Thank you very much and sorry for my english :)

asked 29 Nov '13, 03:34

Andyn's gravatar image

Andyn
6335
accept rate: 0%

Did you limit the capture size (for whatever reason)? If so, Wireshark will not be able to fully dissect the IPP packets, due to the missing bytes and thus print that error message.

If you look into the frame, you can see the values for "bytes on wire" and "bytes captured". If those values are not identical, you did limit the capture size.

(29 Nov '13, 05:35) Kurt Knochner ♦

I connect to PC (which is providing CUPS server) with ethernet cable instead of wlan (router) and there are no malformed packets anymore. Do you have any idea where is the problem. I didn't try anything else except changing wlan to ethernet.

(01 Dec '13, 07:34) Andyn

See my comment above. What do you see if you check 'bytes captured' in the WLAN capture file for those malformed frames?

(01 Dec '13, 08:34) Kurt Knochner ♦

1514 bytes on wire and 1514 bytes captured. Can I get readable content of sent IPP document in Wireshark? I found somewhere to use Follow TCP stream, but when I do it, there is just some mess like this: currentfile /ASCII85Decode filter /LZWDecode filter cvx exec J.'GP1)YJ2:a-L/6rF=&5]f",9VMV4PfsINPg$$lJV;@O%03.smQ('PQ#V^%=ggiP:i9P6m1 &e,,#6QsIUEP1^W4j%">[.@O%03.smQ('PQ#V^%=ggiP:i9P6m1 &e,,#6QsIUEP1^W4j%VfmLeP21i['0XteJ5'-rMBI73qYi]MqRS:_)[:!GtMG0%^!tgdCBfAL( FIC'+_5Lbn>92]]a#cSAZ&>[email protected]\jd2S!P$:g'tTf,7oMo%:D37/I$S.]\mgscphMRIG413 (Z=Q;")5F8)Qr"=NfCOoQ)ibUDCCLE1_#S2=J!5rCj3Lri1"+

(01 Dec '13, 12:59) Andyn

Can I get readable content of sent IPP document ...
but when I do it, there is just some mess like this:

well that 'mess' is actually the readable content. It's one part of a PostScript file, where parts are LZW compressed...

Anyway, as my assumption regarding the capture size was wrong, please follow the advice of @grahamb and provide a capture file, otherwise it will be hard/impossible to help you.

(01 Dec '13, 16:08) Kurt Knochner ♦

instead of wlan (router) and there are no malformed packets anymore.

what is

  • your OS and OS version
  • your Wireshark version
(02 Dec '13, 03:37) Kurt Knochner ♦

Here it is...sorry for delay http://speedy.sh/zH5rF/doc5Malf

(09 Dec '13, 14:33) Andyn

O.K. from the pcapng comments I can see that it was taken with dumpcap 1.8.2 on some Linux system (kernel 3.8.0).

Is it possible to post the capture file that was taken on the wlan0 interface?

(10 Dec '13, 07:27) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

One Answer:

0

For reasons currently unknown, the IPP dissector code in your version of Wireshark isn't happy with the IPP data in the traffic. This may be a bug in Wireshark. What version of Wireshark are you using?

Is there any way you can share the capture with the issue, e.g. CloudShark, DropBox etc.? If so please post a link back to the capture here as a comment to your question..

answered 29 Nov '13, 04:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%