First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is this a normal set of "expert information" reports for a home network?

  • retag add tags

Hi,

I left Wireshark running, capturing on a Windows host, for 24 hours give or take. There were periods when this Windows 11 system was used for playing a computer game, surfing the web, and running the cmd line tool traceroute. What causes malformed packets such as these? Is this normal? Does wireshark have a large number of false-positives? https://i.imgur.com/QMAdrtO.png

MrJoe's avatar
1
MrJoe
asked 2022-11-30 21:43:40 +0000, updated 2022-11-30 21:50:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The likely origin of most of these is the fact that it is not always possible to correctly identify protocols from the packets alone. Sometime heuristics need to be applied to make an educated guess about what protocol the packet is from. Then when such choice is make it can turn out further down the packet dissection that an error is observed. Is it, or was the initial assumption about the protocol wrong? We try to create these heuristics as strong as possible, but sometimes there's just very little to work with. Other errors may come from packets that were missed/dropped, hence complicate further dissection of related packets. With such long term captures, your chance of running into scenarios like this are more likely.

Jaap's avatar
13.7k
Jaap
answered 2022-12-01 06:20:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I'm guessing that the Windows host is using either Wi-Fi or Ethernet, rather than 802.15.4, to access the Internet, and that Wireshark was capturing on that interface.

If so, then a lot of the problem may be that Wireshark is misidentifying some packets as 802.15.4 encapsulated inside something else. It would be interesting to see a capture file with those packets; if you want us to look at that, and are willing to have the Wireshark core developers see those packets, file an issue on the Wireshark issue list and attach the capture. Mark the issue as confidential by checking the "This issue is confidential and should only be visible to team members with at least Reporter access." if you don't want the capture file to be publicly visible.

Guy Harris's avatar Guy Harris (2022-12-01 09:42:26 +0000) edit
more
  • delete

Yes, you are correct. The windows host is connected to the internet via WiFi and the capture was running on that interface.

There's something broken with this Windows host's networking to begin with. It worked fine when connecting to internet directly through fiber modem and an Intel X540 dual port RJ45 NIC. . The onboard 2.5G NIC was connected to an IP camera network. I then was troubleshooting another issue and brought it home to swap some hardware. I used a USB WiFi adapter to connect to my home network which has a pfSense firewall/router, and have the strangest partial connectivity. For instance, I only got internet access after starting a screen session on the router that continuously arping's the Windows workstation's manually assigned IP. If it doesn't continuously run, I'll lose internet access (and the ability to access the router) eventually. Sometimes ... (more)

MrJoe's avatar MrJoe (2022-12-01 23:04:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer