Wireshark-users: Re: [Wireshark-users] Bad Checksum Packet
From: Andreas Fink <afink@xxxxxxxxxxxxx>
Date: Mon, 11 Feb 2008 06:51:01 +0100


On 11.02.2008, at 06:35, Becky Vict wrote:

Hi,

The protocol that I'm interested in is TCP (ftp transfer). I've done as per recommended but the following is what I get.

Transmission Control Protocol, Src Port: 5001 (5001), Dst Port: ftp-data (20), Seq: 1, Ack: 15169, Len: 0
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 15984
Checksum: 0x6eab [correct]

I tried applying tcp.checksum_bad == 1 display filter but comes up with nothing. Either there is no bad checksum packet in the capture at all or it gets discarded and doesn't show in Wireshark. Is there a way to confirm this? (by looking at both client and server captures for example).

in todays wired networks its rather rare to see invalid checksums because it would mean that  a packet get transmitted and received but incorrectly received due to a bad wire o the like. Todays network much more likely have packets removed completely due to congestion or other reasons. A packet error on TCP is unlikely if there's already a checksum at a lower level which would discard the packet.

So its very unlikely to see tcp.checksum_bad == 1 unless you have a broken TCP stack creating wrong checksums or the like.



Thanks.

Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
On Sun, Feb 10, 2008 at 06:35:08AM -0800, Becky Vict wrote:

> I would like to know if a packet is discarded due to bad checksum,
> will it show in the capture? How to distinguish this quickly? What
> display filter should I use for this?

If the frame is discarded by the network card for a bad CRC, you will
probably not see it in Wireshark at all. If the checksum is bad at
higher layers, then you will see bad checksum checks at various
protocols/layers (IP, TCP, UDP and some other protocols such as CDP and
EDP). Go into the protocol layer of a packet that you want to check the
checksum of and there will be a tree such as the following:

User Datagram Prptocol, Src Port: domain (53), Dst Port: 58475 (58475)
Source Port: domain (53)
Destination port: 58475 (58475)
Length: 108
Checksum 0x2b97 [correct]
[Good Checksum: True]
[Bad Checksum: False]

Right click on the good or bad checksum and go to Apply as Filter -
Selected to apply a display filter for good or bad checksums. The
filters in this case will be udp.checksum_good == 1 or udp.checksum_bad
== 1 if it is good or bad respectively.

There are also coloring rules in place by default for Checksum Errors
that turn the packet list line red on black for cdp, edp, ip, tcp, udp
checksums that are bad. Note that other a few other protocols have
checksum checks too, but they are not in the default coloring rules.


Steve

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



Looking for last minute shopping deals? Find them fast with Yahoo! Search._______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users