First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Frames are undecoded and have funny bytes in header

This is a WIN 10 installation. I'm getting frames from npcap with the capture filter "udp port 23456" when I send UPD messages to port 23456. I can also sniff the UDP packets with "packet sender"-app. But on the Wireshark GUI they are not decoded and the raw frame data shown seems to have the correct UDP data part but the Ip header has several additional bytes. I have completely uninstalled Wireshark and npcap and reinstalled it fresh with the newest version several times now. nothing changes. I'v tried several LAN and WLAN ports - all the same. I do not receive any decoded frames at all. Just these funny frames without decoding. I'm lost...

    0000   ff ff ff ff ff ff 08 b6 1f 29 98 74 08 00 45 00   .........).t..E.
    0010   00 26 00 22 00 00 ff 11 48 db c0 a8 b2 21 ff ff   .&."....H....!..
    0020   ff ff 30 39 5b a0 00 12 02 25 00 01 ff 00 00 00   ..09[....%......
    0030   00 00 00 00 00 00 00 00 00 00 00 00               ............

UDP payload data is 10 bytes: 00 01 ff 00 00 00 00 00 00 00

In the GUI there is only data in columns "Time" and "length". No source, no destination, no protocol. The protocol s are active as per default after installation.

vdh's avatar
3
vdh
asked 2023-01-06 06:40:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Importing this text shows a perfectly normal UDP packet to me, so it may be something you haven't tweaked yet. What happens if you select a different profile?

Jaap's avatar Jaap (2023-01-06 06:48:51 +0000) edit
more
  • delete

Jaap, that idea saved me. Thanks so much for posting it!!!

When switching from the default to the classic profile, I suddenly get my packet decoded. But this brings up three new questions:

  1. Why does a complete uninstallation under Win 10 NOT delete the profile and keeps it in the new installation?
  2. How can I get my system back to an ordinary default profile as given by a plain new installation?
  3. What can be wrong in the default profile's configurations to give such a disastrous result (I'ld love to upload a screenshot but the system expects 60 point credits for me to be able to upload files)?

Funny enough this result: I deleted the profile's directory to get back the correct default configuration. But when closing and restarting Wireshark I get the same result: the default profile does not show any decoding while the classic profile does ... (more)

vdh's avatar vdh (2023-01-06 09:02:06 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

(to round this one out) The problem stems from a misconfiguration which ended up in the default profile. Restoring the original default profile solves this problem. Possibly a disable of the UDP dissector would cause this.

Jaap's avatar
13.7k
Jaap
answered 2023-01-06 18:39:40 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for this summary! Where can one find the configuration to disable the UDP dissector?

vdh's avatar vdh (2023-01-06 19:45:53 +0000) edit
more
  • delete
  1. Via the context menu of the protocol in the packet details paine
  2. Via the menu Analyze | Enabled Protocols
Jaap's avatar Jaap (2023-01-06 22:53:46 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer