On Sun, Feb 10, 2008 at 06:35:08AM -0800, Becky Vict wrote:
> I would like to know if a packet is discarded due to bad checksum,
> will it show in the capture? How to distinguish this quickly? What
> display filter should I use for this?
If the frame is discarded by the network card for a bad CRC, you will
probably not see it in Wireshark at all. If the checksum is bad at
higher layers, then you will see bad checksum checks at various
protocols/layers (IP, TCP, UDP and some other protocols such as CDP and
EDP). Go into the protocol layer of a packet that you want to check the
checksum of and there will be a tree such as the following:
User Datagram Prptocol, Src Port: domain (53), Dst Port: 58475 (58475)
Source Port: domain (53)
Destination port: 58475 (58475)
Length: 108
Checksum 0x2b97 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Right click on the good or bad checksum and go to Apply as Filter -
Selected to apply a display filter for good or bad checksums. The
filters in this case will be udp.checksum_good == 1 or udp.checksum_bad
== 1 if it is good or bad respectively.
There are also coloring rules in place by default for Checksum Errors
that turn the packet list line red on black for cdp, edp, ip, tcp, udp
checksums that are bad. Note that other a few other protocols have
checksum checks too, but they are not in the default coloring rules.
Steve