I get "Can't get list of interfaces: message payload is too short" when trying to add remote interfaces

[Usabab]

Hello, trying to add remote interfaces i get this error. I usually use wireshark, this is new installation on new pc. I tried to disable antivirus and firewall, also launch with administrator rights without success. Following the wireshark support i made this:

• open Wireshark, and start a capture on the interface for the network between your PC and the PABX, using the capture filter "port 2002";
• while that capture is running, open Wireshark again, so that you have two instances of Wireshark running on your PC, and, in the second instance of Wireshark, try to add remote interfaces;
• when the attempt to add remote interfaces reports the error in the second instance of Wireshark, stop the capture in the first instance of Wireshark;
• if the first instance (the one doing the "port 2002" capture) shows any traffic, please do File > Save to save the raw capture to a file;

I attach the screenshot of wireshark version and the capture made as above.

Thanks

tcp.port2002.zip

[guyharris]

That's because the PABX's rpcap server is buggy - the "payload length" field of the reply has the value 20, but it should have the value 22. The payload has:

• 2 bytes of interface name length, with the value 5;
• 2 bytes of interface description length, with the value 5;
• 4 bytes of interface flags;
• 2 bytes of the count of the number of addresses for the interface, with the value 0;
• 2 bytes of padding;
• 5 bytes of interface name, with the value "TRACE";
• 5 bytes of interface description, with the value "TRACE";

which adds up to 2+2+4+2+2+5+5 = 22.

All 22 bytes are present in the message - the PABX just put the wrong value in the reply.

Please report this to the vendor of the PABX.

For a short-term workaround, you could try either:

1. un-installing Npcap and installing WinPcap, because WinPcap doesn't bother checking the payload length;
2. leaving Npcap installed and trying the capture from the command line, using dumpcap (dumpcap.exe should be in the same directory as wireshark.exe; if that's not in the path for a command-line window, you may have to run it with the full path), with a command line such as "dumpcap -i rpcap://{address or host name of the PABX}/TRACE -w {path name to which to save the capture}", type a control-C to stop the capture, and then read the capture file in Wireshark, because dumpcap might not bother trying to get a list of interfaces.

[Usabab]

Thanks Guy, but is WinPcap Win10 compatible? On the website it seems not.

[guyharris]

Thanks Guy, but is WinPcap Win10 compatible? On the website it seems not.

WinPcap sometimes works for local capture on Windows 10. The issue there is that WinPcap and Npcap include kernel-mode drivers that tap in to the lower level of the networking stack (NDIS) to see all incoming and outgoing packets. The WinPcap driver uses an older NDIS mechanism, as it was written to support older versions of Windows; that mechanism sometimes has issues on newer versions of Windows. The Npcap driver uses a newer mechanism, so it won't work on versions of Windows before Windows Vista, but may work better on the newer versions that does the older one.

WinPcap should have no problem with remote capture, as that doesn't use the driver, it just uses the regular networking stack (TCP and UDP).

[guyharris]

What vendor makes the PBX, and what model is it?

[Usabab]

The PABX is an Innovaphone. There is an info that recommends not to use wireshark version 3 but for another reason. However even with the recommended version I have the same problem.

[guyharris]

The PABX is an Innovaphone.

Thanks. I've sent them a message reporting the bug; I don't know who reads the messages sent via the Web interface, but hopefully it'll get reported to somebody technical and they'll read this issue and fix their bug.

There is an info that recommends not to use wireshark version 3 but for another reason. However even with the recommended version I have the same problem.

This problem isn't directly an issue of the version of Wireshark, it's an issue of the version of the libpcap code being used. If you use older versions of Wireshark with the current version of Npcap, the problem will still occur.

The only way it's related to the Wireshark version is that newer versions of Wireshark install Npcap by default rather than installing WinPcap by default, and the version of Npcap that it installs is based on a recent version of libpcap that does more error checking in its remote capture client.

[Usabab]

All clear, thanks for the support

[guyharris]

The PABX is an Innovaphone.

Thanks. I've sent them a message reporting the bug; I don't know who reads the messages sent via the Web interface, but hopefully it'll get reported to somebody technical and they'll read this issue and fix their bug.

Somebody at Innovaphone indicated that they'd fixed the bug and the fix would be in a later release of their software.