malformed "protocol"

The malformed protocol isn't a real protocol itself, but used by Wireshark to indicate a problem while dissecting the packet data. You could think of it as a pseudo dissector.

While Wireshark dissects the packet data, the protocol dissector in charge tried to read from the packet data at an offset simply not existing. This raised an internal Exception, leading to this malformed indication.

There are three main causes:

  • protocol data is malformed
  • protocol dissector is buggy
  • wrong protocol dissector used

It's difficult to say (in a general way) which is the real cause in a given scenario, without looking at the packet data and having some knowledge of the protocol (dissector) involved.


This feature exists in Wireshark since version 0.9.0.

Protocol dependencies

This pseudo-protocol can happen at any protocol dissector.

Example traffic

XXX - add example traffic showing malformed.


The malformed dissector is "fully functional" wink

Preference Settings

There are no preference settings affecting how malformed is dissected.

Example capture file

XXX - add a capture file example.

Display Filter

There are no display filter fields for malformed, see: display filter reference. You can simply filter on malformed to see all packets conaining malformed data:

Example: Show only malformed packets:


Capture Filter

A capture filter for the malformed pseudo protocol wouldn't make sense, as the malformed status isn't detected while capturing.

External links

  • there are no external links


Imported from on 2020-08-11 23:20:57 UTC