[Theodore Marescaux <Theodore.Marescaux@xxxxxxx>]

Thanks Mark, I managed to patch packet-tcp.c myself. If some of you are
interested into this TCP checksum you may find below the diff output.

Please note that:
    - there is NO support for IPv6, I do not even test the IP type, if you
capture IPv6 packets you will get an 'invalid checksum' message when you
normally shouldn't
    - the patch seems to work for me, but I do not guarantee it is bug-free

Theo

------ diff output below --------
430,493d429
< static guint16 tcp_checksum(const guint8 *ptr, packet_info *pinfo, int len)

< {
<  unsigned long Sum;
<  const unsigned char *Ptr, *PtrEnd;
<  address src, dst;
<
<  Sum    = 0;
<
<  /* Computing the checksum on TCP header + TCP payload */
<  PtrEnd = ptr + len;
<  for (Ptr = ptr; Ptr < PtrEnd; Ptr += 2) {
<   Sum += pntohs(Ptr);
<  }
<
<  /* TCP checksum also includes a pseudo-header with IP info. cf. RFC 793
page 17*/
<  src = pinfo->net_src;
<  dst = pinfo->net_dst;
<
<  Sum += (src.data[0] << 8) + src.data[1];
<  Sum += (src.data[2] << 8) + src.data[3];
<  Sum += (dst.data[0] << 8) + dst.data[1];
<  Sum += (dst.data[2] << 8) + dst.data[3];
<  Sum += pinfo->ipproto & 0xFFFF;
<  Sum += len;
<
<  Sum = (Sum & 0xFFFF) + (Sum >> 16);
<  Sum = (Sum & 0xFFFF) + (Sum >> 16);
<
<  return (guint16)~Sum;
< }
<
<
< static guint16 tcp_checksum_shouldbe(guint16 sum, guint16 computed_sum)
< {
<  guint32 shouldbe;
<
<  /*
<   * The value that should have gone into the checksum field
<   * is the negative of the value gotten by summing up everything
<   * *but* the checksum field.
<   *
<   * We can compute that by subtracting the value of the checksum
<   * field from the sum of all the data in the packet, and then
<   * computing the negative of that value.
<   *
<   * "sum" is the value of the checksum field, and "computed_sum"
<   * is the negative of the sum of all the data in the packets,
<   * so that's -(-computed_sum - sum), or (sum + computed_sum).
<   *
<   * All the arithmetic in question is one's complement, so the
<   * addition must include an end-around carry; we do this by
<   * doing the arithmetic in 32 bits (with no sign-extension),
<   * and then adding the upper 16 bits of the sum, which contain
<   * the carry, to the lower 16 bits of the sum, and then do it
<   * again in case *that* sum produced a carry.
<   */
<  shouldbe = sum;
<  shouldbe += computed_sum;
<  shouldbe = (shouldbe & 0xFFFF) + (shouldbe >> 16);
<  shouldbe = (shouldbe & 0xFFFF) + (shouldbe >> 16);
<  return shouldbe;
< }
<
<
509d444
<   guint16    tcpsum;
604,613c539
<
<     tcpsum = tcp_checksum(tvb_get_ptr(tvb, offset, hlen), pinfo, hlen +
seglen);
<     if (tcpsum == 0) {
<      proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb, offset +
16, 2, th.th_sum, \
<   "Checksum: 0x%04x (correct)", th.th_sum);
<     }
<     else {
<      proto_tree_add_uint_format(tcp_tree, hf_tcp_checksum, tvb, offset +
16, 2, th.th_sum, \
<   "Checksum: 0x%04x (incorrect, should be 0x%04x)", th.th_sum,
tcp_checksum_shouldbe(th.th_sum, tcpsum));
<     }
---
>     proto_tree_add_uint(tcp_tree, hf_tcp_checksum, tvb, offset + 16, 2,
th.th_sum);
---------- that was it --------------

Mark Atwood wrote:

> Theodore Marescaux <Theodore.Marescaux@xxxxxxx> writes:
> >
> > I'm using ethereal 0.8.14 under Linux and I need to verifiy the validity
> > of the TCP checksum on the packets I capture, but Ethereal does not seem
> > to have such a feature. I've seen Ethereal has a plugin facility. Does
> > someone know if a plugin could be used for this purpose, if such a
> > plugin exists (verifying TCP checksum) or where to find information on
> > how to write plugins for Ethereal.
>
> It shouldn't be too hard to add (I picked apart the IP checksum bits a
> while back). Tell ya what, if no one else gets to it by then, I'll try
> to getting around add it and submit a patch by this weekend.
>
> --
> Mark Atwood   | The summit of Mount Everest is marine limestone.
> mra@xxxxxxxxx |
> http://www.pobox.com/~mra