tcpdump mailing list archives
Better dumping of packets with bad TCP checksums?
From: "Greg Weiss" <gregw_lists () fastmail fm>
Date: Fri, 30 Jul 2004 13:14:40 -0400
Question: ------------------ Is there a way to command-line filter tcpdump so that only packets with bad TCP checksums are dumped? (I rtfm'd but couldn't find it, but it seemed useful/simple enough that I might be missing something. Hence I'm asking here.) Background: ------------------ I've been reading up on tcpdump to try to track down some packet corruption I'm seeing with an application we've built. The corruption seems to only happen on packets with certain characteristics. I've figured out how to dump packets that correspond to one highly-specific instance of corruption that we can replicate: tcpdump -i fxp1 -l -s 1023 -X 'tcp[342]=67 and tcp[343]=97 and tcp[346]!=101' But I don't know how to flag a more general case of TCP checksum mismatching. I do know how to use the -v command to dump packets in such a way that it shows if the TCP checksum header does or does not match: tcpdump -i fxp1 -l -s 1023 -X -v 11:08:50.563045 x1.blah.com.3076 > x2.blah.com.http: P [bad tcp cksum dc08!] 1:396(395) ack 1 win 8760 (DF) (ttl 113, id 39274, len 435) And I can certainly grep through huge dumps. What I haven't found is whether there's some sort of expression I can use with tcpdump that will only dump packets with bad checksums. Advice? Related question: --------------------------- Preliminary testing indicates that the corruption is generated by a cheap and common NAT box, even with the latest firmware. So it may not be in my control to fix the problem given NATs in the wild, but I'd like to be alerted (to aid customer troubleshooting) if it happens on an ongoing basis. Is there a particular tool/approach anyone would recommend for flagging/logging the existence of incoming corrupted TCP/IP packets? Thanks much, Greg Weiss P.S. Sentence 2 in the man page should refer to the -r flag, not the -b flag, right? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Better dumping of packets with bad TCP checksums? Greg Weiss (Jul 30)
- Re: Better dumping of packets with bad TCP checksums? Guy Harris (Jul 30)
- TCP checksum filtering, -b flag in documentation Greg Weiss (Aug 02)
- Re: Better dumping of packets with bad TCP checksums? Guy Harris (Jul 30)