Wireshark mailing list archives
Re: Capturing only packets with bad TCP Checksum
From: Martin Isaksson <martin.isaksson () ericsson com>
Date: Tue, 6 Nov 2012 16:36:53 +0100
Thanks Guy! So the options I have are: 1) to capture with tshark and specify a display filter, but I am afraid that it won't keep up. The number of packets I want to capture are very few, so I really want to make sure I don't miss any of those packets. 2) to use tcpdump and specify a post-rotate command with -z to postprocess the rotated file with for example tshark. http://www.tcpdump.org/tcpdump_man.html Is this post-rotate command something for tshark? Thanks again, Martin -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris Sent: den 5 november 2012 16:47 To: Community support list for Wireshark Subject: Re: [Wireshark-users] Capturing only packets with bad TCP Checksum On Nov 5, 2012, at 1:34 PM, Martin Isaksson <martin.isaksson () ericsson com> wrote:
Is there any way of creating a capturing filter to only get packets that have a bad TCP checksum?
Unfortunately, no - in-kernel BPF doesn't support backward branches, so a BPF program that can do filtering in the kernel can't calculate a checksum, and, even though it might be possible to have a BPF program to calculate checksums in userland, the capture-filter-to-BPF compiler in libpcap doesn't have a way of expressing that. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capturing only packets with bad TCP Checksum Martin Isaksson (Nov 05)
- Re: Capturing only packets with bad TCP Checksum Guy Harris (Nov 05)
- Re: Capturing only packets with bad TCP Checksum Martin Isaksson (Nov 06)
- Re: Capturing only packets with bad TCP Checksum Guy Harris (Nov 05)