|From: Douglas F.Calvert
|
|Hello,
| I am diagnosing an odd network problem and I have been using
|ethereal
|filters a lot lately. Is their a predefined filter that just matches
|bad packets that I am not aware of?
Not really. Some protocol dissectors define protocol fields for this
purpose, but not all.
Some conditions may appear as errors but aren't, like bad TCP checksums in
some packet captures as some NICs have the possibility to compute the TCP
checksum on their own, hence off-loading the OS packet driver. This yields
incorrect TCP checksums but in fact you don't know whether it is really an
error or just a side-effect of TCP off-loading.
You basically need to define which errors you are interested in (often
meaning you need to define the set of "interesting" protocols).
Some examples:
* Bad IPv4 header checksum: ip.checksum_bad
* Bad TCP checksum: tcp.checksum_bad
* Bad UDP checksum: udp.checksum_bad
* HTTP errors: http.response.code >= 400
* WSP errors: wsp.reply.status >= 0x40
You can always inspect the Ethereal display filter reference to look for
specific error fields in specific protocols. Sometimes a given field must
have a specific value in order to be considered as an error (e.g., status
code in many request-response protocols).
Regards,
Olivier