This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Internet header + 64 bits o datagram

0

Hello,

I have a little question about the field "Internet Header + 64 bits of Data Datagram" when I trying to calculate checksum icmp type 11. How can i check it on wireshark?

Thanks alt text

asked 17 May '12, 12:29

blackfredy's gravatar image

blackfredy
0225
accept rate: 0%

edited 17 May '12, 12:31

One Answer:

1

The checksum calculation works exactly the same as for ICMP ECHO/ECHO-REPLY packets. Instead of some user data, the payload of the ICMP packet is now a portion of the packet that triggered the TTL-exceeded ICMP message. As the RFC says, it is the complete IP header plus 64 bits (8 octets) of said packet (these are used to be able to identify which packets caused the TTL-exceeded message).

In your example, the 64 bits are the ICMP header of the ping from 172.22.51.119 to 172.22.2.38.

answered 17 May '12, 17:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi,

However thanks, well I'm doing this:

type+code = 0x0b00

Complete ip_header = 0x4500; 0x005c; 0xc0dd; 0x0000; 0x0001; 0xac16; 0x3377; 0xac16; 0x0226;

And plus

0xac16; 0x3377; 0xac16; 0x0226;

Adding the carry and doing the complement the result would be 0xf4ff? I think I am in a mistake. could help me?

Thanks!

(17 May '12, 17:53) blackfredy

You should use:

ICMP header:
  type+code = 0x0b00
  checksum  = 0x0000 (ok, academically speaking ;-))

ICMP payload (IP header + 64 bits of payload, which is ICMP in this case:
ip_header = 0x4500; 0x005c; 0xc0dd; 0x0000; 0x0001; 0xac16; 0x3377; 0xac16; 0x0226;
icmp_header = 0x0800; 0x9bff; 0x0200; 0x5a00
(18 May ‘12, 02:56) SYN-bit ♦♦

I read rfc 792, and I couldn’t understand, “64 bits of Original Data Datagram”, but with your explanation now I got it. I follow your advice and additional I add ip_header checksum to reach 0xf4ff.

I really feel so grateful with your help,

Thanks!

(18 May ‘12, 17:42) blackfredy