Wireshark-users: Re: [Wireshark-users] No indication about UDP checksum
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 2 Feb 2009 17:36:22 +1100
Use "-s 0" when capturing with tcpdump and it will not truncate any packets. (but your capture file will become much larger)


On Mon, Feb 2, 2009 at 5:28 PM, Yuxin Zhuang <yzhuang@xxxxxxxxxx> wrote:
Thanks, I got it.
 
The packets are captured by tcpdump and they are truncated. That should be the reason.
 
Thanks a lot to all of you!
 
Yuxin

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of ronnie sahlberg
Sent: 2009年2月2日 14:20

To: Community support list for Wireshark
Subject: Re: [Wireshark-users] No indication about UDP checksum


Have you disabled udp checksum validation in the preferences for UDP?

Another possibility is that the packet is "short" i.e. you didnt capture the entire packet.
This happens if you use tcpdump for example which defaults to only capture the first 68 or 96 bytes of eack packet.

You can check for this for these packets if you look at the "Frame" layer, if it says something like (xxx bytes on the wire, yyy bytes captured)
and xxx != yyy  then you have captured a truncated packet.
Truncated packets never have their checksums validated.






2009/2/2 Yuxin Zhuang <yzhuang@xxxxxxxxxx>
Hi, Jaap,

Thanks for your reply!

But the content of Checksum is not 0x0000. The output is as follows:
       Checksum: 0xd87e
               Good Checksum: False
               Bad Checksum: False

I can't figure out whether the checksum is correct or not. Lots of other packets' checksum are not zero either and the result is similar.

Thanks,
Yuxin

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: 2009年2月2日 14:00
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] No indication about UDP checksum

Hi,

In UDP the checksum is optional. So if it's set to 0x0000 that means it's not calculated by the sender and cannot be checked by the receiver.
For Wireshark that results in "Checksum: 0x0000 (none)" and it can't be neither good or bad, since there's is no checksum.

Thanx,
Jaap

Yuxin Zhuang wrote:
> Hi,
>
> While i'm analyzing some captured pkts, i notice that lots of UDP pkts
> have no indication on 'checksum' and both good and bad checksum are
> 'false'. What does this mean?
>
> The output is as follows:
>
>
> Thanks a lot!
> Yuxin
>

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe