On 11.02.2008, at 06:35, Becky Vict wrote: Hi,
The protocol that I'm interested in is TCP (ftp transfer). I've done as per recommended but the following is what I get.
Transmission Control Protocol, Src Port: 5001 (5001), Dst Port: ftp-data (20), Seq: 1, Ack: 15169, Len: 0 Flags: 0x0010 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 15984 Checksum: 0x6eab [correct]
I tried applying tcp.checksum_bad == 1 display filter but comes up with nothing. Either there is no bad checksum packet in the capture at all or it gets discarded and doesn't show in Wireshark. Is there a way to confirm this? (by looking at both client and server captures for example).
in todays wired networks its rather rare to see invalid checksums because it would mean that a packet get transmitted and received but incorrectly received due to a bad wire o the like. Todays network much more likely have packets removed completely due to congestion or other reasons. A packet error on TCP is unlikely if there's already a checksum at a lower level which would discard the packet.
So its very unlikely to see tcp.checksum_bad == 1 unless you have a broken TCP stack creating wrong checksums or the like.
Thanks.
Stephen Fisher <stephentfisher@xxxxxxxxx> wrote: On Sun, Feb 10, 2008 at 06:35:08AM -0800, Becky Vict wrote:
> I would like to know if a packet is discarded due to bad checksum, > will it show in the capture? How to distinguish this quickly? What > display filter should I use for this?
If the frame is discarded by the network card for a bad CRC, you will probably not see it in Wireshark at all. If the checksum is bad at higher layers, then you will see bad checksum checks at various protocols/layers (IP, TCP, UDP and some other protocols such as CDP and EDP). Go into the protocol layer of a packet that you want to check the checksum of and there will be a tree such as the following:
User Datagram Prptocol, Src Port: domain (53), Dst Port: 58475 (58475) Source Port: domain (53) Destination port: 58475 (58475) Length: 108 Checksum 0x2b97 [correct] [Good Checksum: True] [Bad Checksum: False]
Right click on the good or bad checksum and go to Apply as Filter - Selected to apply a display filter for good or bad checksums. The filters in this case will be udp.checksum_good == 1 or udp.checksum_bad == 1 if it is good or bad respectively.
There are also coloring rules in place by default for Checksum Errors that turn the packet list line red on black for cdp, edp, ip, tcp, udp checksums that are bad. Note that other a few other protocols have checksum checks too, but they are not in the default coloring rules.
Steve
_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
Looking for last minute shopping deals? Find them fast with Yahoo! Search._______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
|