Thanks Mark, I managed to patch packet-tcp.c myself. If some of you are
interested into this TCP checksum you may find below the diff output.
Please note that:
- there is NO support for IPv6, I do not even test the IP type, if you
capture IPv6 packets you will get an 'invalid checksum' message when you
normally shouldn't
- the patch seems to work for me, but I do not guarantee it is bug-free
Theo
------ diff output below --------
430,493d429
< static guint16 tcp_checksum(const guint8 *ptr, packet_info *pinfo, int len)
< {
< unsigned long Sum;
< const unsigned char *Ptr, *PtrEnd;
< address src, dst;
<
< Sum = 0;
<
< /* Computing the checksum on TCP header + TCP payload */
< PtrEnd = ptr + len;
< for (Ptr = ptr; Ptr < PtrEnd; Ptr += 2) {
< Sum += pntohs(Ptr);
< }
<
< /* TCP checksum also includes a pseudo-header with IP info. cf. RFC 793
page 17*/
< src = pinfo->net_src;
< dst = pinfo->net_dst;
<
< Sum += (src.data[0] << 8) + src.data[1];
< Sum += (src.data[2] << 8) + src.data[3];
< Sum += (dst.data[0] << 8) + dst.data[1];
< Sum += (dst.data[2] << 8) + dst.data[3];
< Sum += pinfo->ipproto & 0xFFFF;
< Sum += len;
<
< Sum = (Sum & 0xFFFF) + (Sum >> 16);
< Sum = (Sum & 0xFFFF) + (Sum >> 16);
<
< return (guint16)~Sum;
< }
<
<
< static guint16 tcp_checksum_shouldbe(guint16 sum, guint16 computed_sum)
< {
< guint32 shouldbe;
<
< /*
< * The value that should have gone into the checksum field
< * is the negative of the value gotten by summing up everything
< * *but* the checksum field.
< *
< * We can compute that by subtracting the value of the checksum
< * field from the sum of all the data in the packet, and then
< * computing the negative of that value.
< *
< * "sum" is the value of the checksum field, and "computed_sum"
< * is the negative of the sum of all the data in the packets,
< * so that's -(-computed_sum - sum), or (sum + computed_sum).
< *
< * All the arithmetic in question is one's complement, so the
< * addition must include an end-around carry; we do this by
< * doing the arithmetic in 32 bits (with no sign-extension),
< * and then adding the upper 16 bits of the sum, which contain
< * the carry, to the lower 16 bits of the sum, and then do it
< * again in case *that* sum produced a carry.
< */
< shouldbe = sum;
< shouldbe += computed_sum;
< shouldbe = (shouldbe & 0xFFFF) + (shouldbe >> 16);
< shouldbe = (shouldbe & 0xFFFF) + (shouldbe >> 16);
< return shouldbe;
< }
<
<
509d444
< guint16 tcpsum;
604,613c539
<
< tcpsum = tcp_checksum(tvb_get_ptr(tvb, offset, hlen), pinfo, hlen +
seglen);
< if (tcpsum == 0) {
< proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb, offset +
16, 2, th.th_sum, \
< "Checksum: 0x%04x (correct)", th.th_sum);
< }
< else {
< proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb, offset +
16, 2, th.th_sum, \
< "Checksum: 0x%04x (incorrect, should be 0x%04x)", th.th_sum,
tcp_checksum_shouldbe(th.th_sum, tcpsum));
< }
---
> proto_tree_add_uint(tcp_tree, hf_tcp_checksum, tvb, offset + 16, 2,
th.th_sum);
---------- that was it --------------
Mark Atwood wrote:
> Theodore Marescaux <Theodore.Marescaux@xxxxxxx> writes:
> >
> > I'm using ethereal 0.8.14 under Linux and I need to verifiy the validity
> > of the TCP checksum on the packets I capture, but Ethereal does not seem
> > to have such a feature. I've seen Ethereal has a plugin facility. Does
> > someone know if a plugin could be used for this purpose, if such a
> > plugin exists (verifying TCP checksum) or where to find information on
> > how to write plugins for Ethereal.
>
> It shouldn't be too hard to add (I picked apart the IP checksum bits a
> while back). Tell ya what, if no one else gets to it by then, I'll try
> to getting around add it and submit a patch by this weekend.
>
> --
> Mark Atwood | The summit of Mount Everest is marine limestone.
> mra@xxxxxxxxx |
> http://www.pobox.com/~mra