Better dumping of packets with bad TCP checksums?

["Greg Weiss" <gregw_lists () fastmail fm>]

Question:
------------------
Is there a way to command-line filter tcpdump so that only packets with
bad TCP checksums are dumped?  (I rtfm'd but couldn't find it, but it
seemed useful/simple enough that I might be missing something. Hence
I'm asking here.)


Background:
------------------
I've been reading up on tcpdump to try to track down some packet
corruption
I'm seeing with an application we've built.  

The corruption seems to only happen on packets with certain
characteristics.

I've figured out how to dump packets that correspond to one
highly-specific 
instance of corruption that we can replicate:

tcpdump -i fxp1 -l -s 1023 -X 'tcp[342]=67 and tcp[343]=97 and
tcp[346]!=101'

But I don't know how to flag a more general case of TCP checksum 
mismatching.  I do know how to use the -v command to dump packets 
in such a way that it shows if the TCP checksum header does or 
does not match:

tcpdump -i fxp1 -l -s 1023 -X -v

11:08:50.563045 x1.blah.com.3076 > x2.blah.com.http: P [bad tcp cksum
dc08!] 1:396(395) ack 1 win 8760 (DF) (ttl 113, id 39274, len 435)

And I can certainly grep through huge dumps.  What I haven't found is 
whether there's some sort of expression I can use with tcpdump that 
will only dump packets with bad checksums.  Advice?


Related question:
---------------------------
Preliminary testing indicates that the corruption is generated by 
a cheap and common NAT box, even with the latest firmware.  So
it may not be in my control to fix the problem given NATs in the wild,
but I'd like to be alerted (to aid customer troubleshooting) if
it happens on an ongoing basis.  Is there a particular tool/approach
anyone would recommend for flagging/logging the existence of 
incoming corrupted TCP/IP packets?


Thanks much,
  Greg Weiss

P.S. Sentence 2 in the man page should refer to the -r flag, not the -b
flag, right?
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.