Wireshark-users: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum
Thanks Guy!
So the options I have are:
1) to capture with tshark and specify a display filter, but I am afraid that it won't keep up. The number of packets I want to capture are very few, so I really want to make sure I don't miss any of those packets.
2) to use tcpdump and specify a post-rotate command with -z to postprocess the rotated file with for example tshark. http://www.tcpdump.org/tcpdump_man.html
Is this post-rotate command something for tshark?
Thanks again,
Martin
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: den 5 november 2012 16:47
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum
On Nov 5, 2012, at 1:34 PM, Martin Isaksson <martin.isaksson@xxxxxxxxxxxx> wrote:
> Is there any way of creating a capturing filter to only get packets that have a bad TCP checksum?
Unfortunately, no - in-kernel BPF doesn't support backward branches, so a BPF program that can do filtering in the kernel can't calculate a checksum, and, even though it might be possible to have a BPF program to calculate checksums in userland, the capture-filter-to-BPF compiler in libpcap doesn't have a way of expressing that.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
