Thanks to the pointers from Hartmut Mueller I got this
patched up pretty quickly. I added hidden boolean fields
for ip.checksum_bad and icmp.checksum_bad. With this patch
you can set a filter of:
ip.checksum_bad
to just show the packets that don't have matching
checksums.
Thanks for the help.
-James
On Wed, 21 Feb 2001, James E. Flemer wrote:
> On Tue, 20 Feb 2001, Guy Harris wrote:
>
> > > I scanned the docs, and google'd for it ...
> > > Is there a way to filter ip.checksum to only show packets
> > > that have incorrect checksums?
> >
> > No - a filter expression that checks "ip.checksum" could only compare it
> > against a constant, which won't find invalid checksums. Currently, the
> > best you could do would be to print the capture to a file (print the
> > detail, not the summary), pull the editor into a file and look for
> > packets with an incorrect checksum (search for "incorrect") or cook up a
> > script that scans through the file, remembers the frame number of the
> > current frame, and lists that frame number if it sees a line showing an
> > incorrect checksum).
> >
> > Adding a hidden Boolean field "ip.bad_checksum" (and similar fields for
> > other protocols with checksums) might be useful.
> Yes I agree that would be nice. :-)
> I have a few free hours this afternoon, I'll grab the
> sources and see if I can hack this in. Of course I'm not
> familiar with the sources (yet) so if someone beats me to
> it let me know.
> Thanks.
> -James
>
>
*** packet-ip.c.orig Wed Feb 21 11:21:37 2001
--- packet-ip.c Wed Feb 21 11:40:27 2001
***************
*** 86,91 ****
--- 86,92 ----
static int hf_ip_ttl = -1;
static int hf_ip_proto = -1;
static int hf_ip_checksum = -1;
+ static int hf_ip_checksum_bad = 0;
static gint ett_ip = -1;
static gint ett_ip_dsfield = -1;
***************
*** 112,117 ****
--- 113,119 ----
static int hf_icmp_type = -1;
static int hf_icmp_code = -1;
static int hf_icmp_checksum = -1;
+ static int hf_icmp_checksum_bad = 0;
static gint ett_icmp = -1;
***************
*** 894,899 ****
--- 896,902 ----
"Header checksum: 0x%04x (correct)", iph.ip_sum);
}
else {
+ proto_tree_add_item_hidden(ip_tree, hf_ip_checksum_bad, tvb, offset + 10, 2, TRUE);
proto_tree_add_uint_format(ip_tree, hf_ip_checksum, tvb, offset + 10, 2, iph.ip_sum,
"Header checksum: 0x%04x (incorrect, should be 0x%04x)", iph.ip_sum,
in_cksum_shouldbe(iph.ip_sum, ipsum));
***************
*** 1124,1129 ****
--- 1127,1134 ----
cksum,
"Checksum: 0x%04x (correct)", cksum);
} else {
+ add proto_tree_add_item_hidden(icmp_tree, hf_icmp_checksum_bad,
+ tvb, 2, 2, TRUE);
proto_tree_add_uint_format(icmp_tree, hf_icmp_checksum, tvb, 2, 2,
cksum,
"Checksum: 0x%04x (incorrect, should be 0x%04x)",
***************
*** 1447,1452 ****
--- 1452,1461 ----
{ &hf_ip_checksum,
{ "Header checksum", "ip.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
"" }},
+
+ { &hf_ip_checksum_bad,
+ { "Bad Header checksum", "ip.checksum_bad", FT_BOOLEAN, 4, NULL, 0x0,
+ "" }},
};
static gint *ett[] = {
&ett_ip,
***************
*** 1508,1513 ****
--- 1517,1526 ----
{ &hf_icmp_checksum,
{ "Checksum", "icmp.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
"" }},
+
+ { &hf_icmp_checksum_bad,
+ { "Bad Checksum", "icmp.checksum_bad", FT_BOOLEAN, 4, NULL, 0x0,
+ "" }},
};
static gint *ett[] = {
&ett_icmp,
