Wireshark · Wireshark-users: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum

Wireshark-users: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Mon, 5 Nov 2012 13:47:12 -0800

On Nov 5, 2012, at 1:34 PM, Martin Isaksson <martin.isaksson@xxxxxxxxxxxx> wrote:

> Is there any way of creating a capturing filter to only get packets that have a bad TCP checksum?

Unfortunately, no - in-kernel BPF doesn't support backward branches, so a BPF program that can do filtering in the kernel can't calculate a checksum, and, even though it might be possible to have a BPF program to calculate checksums in userland, the capture-filter-to-BPF compiler in libpcap doesn't have a way of expressing that.

Follow-Ups:
- Re: [Wireshark-users] Capturing only packets with bad TCP Checksum
  - From: Martin Isaksson

References:
- [Wireshark-users] Capturing only packets with bad TCP Checksum
  - From: Martin Isaksson

Prev by Date: [Wireshark-users] Capturing only packets with bad TCP Checksum
Next by Date: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum
Previous by thread: [Wireshark-users] Capturing only packets with bad TCP Checksum
Next by thread: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum
Index(es):
- Date
- Thread