This wiki has been migrated to and is now deprecated. Please use that site instead.

malformed "protocol"

The malformed protocol isn't a real protocol itself, but used by Wireshark to indicate a problem while dissecting the packet data. You could think of it as a pseudo dissector.

While Wireshark dissects the packet data, the protocol dissector in charge tried to read from the packet data at an offset simply not existing. This raised an internal Exception, leading to this malformed indication.

There are three main causes:

It's difficult to say (in a general way) which is the real cause in a given scenario, without looking at the packet data and having some knowledge of the protocol (dissector) involved.


This feature exists in Wireshark since version 0.9.0.

Protocol dependencies

This pseudo-protocol can happen at any protocol dissector.

Example traffic

XXX - add example traffic showing malformed.


The malformed dissector is "fully functional" ;-)

Preference Settings

There are no preference settings affecting how malformed is dissected.

Example capture file

XXX - add a capture file example.

Display Filter

There are no display filter fields for malformed, see: display filter reference. You can simply filter on malformed to see all packets conaining malformed data:

Capture Filter

A capture filter for the malformed pseudo protocol wouldn't make sense, as the malformed status isn't detected while capturing.


Protocols/malformed (last edited 2008-04-12 17:51:23 by localhost)