Scott Fringer wrote:
A colleague and I are working through a capture file with fragmented
ICMP packets. In every one of these, only the initial part of the ICMP
echo request or echo reply is decoded as ICMP (the remaining fragments
are decoded as IP).
In the initial fragment of the ICMP packet, the ICMP checksum is not
listed as "correct" (as it is in single frame ICMP packets). So we are
deducing that the ICMP checksum is incorrect.
"Not listed as correct" does not imply "incorrect". If it's incorrect,
it'll be listed as incorrect; if it's not listed as incorrect, and not
listed as correct, it means it hasn't been checked at all...
Is this related to the
fact that the ICMP packet is composed of multiple fragments (and hence
the checksum can not be successfully computed)?
...which will happen if the packet is fragmented and wasn't reassembled.
Is there a way to stitch
all of the ICMP fragments together to verify the ICMP checksum is valid?
Turn on the "Reassemble fragmented IP datagrams" option in the
preferences for IP. (Select Preferences from the Edit menu, open up the
"Protocols" list in the dialog box, select "IP", turn on the option, and
click "OK" to turn it on in this session or click "Save" to turn it on
in this session and save all the current preference settings as
permanent settings.)