Hi everybody, Another little incomprehension. Right in this moment I analyze a capture file from a customer. I use the following display filter "!eth.type == 0x8922 && !arp && !stp && !nbns && !bootp". When I open the expert info window I see a lot of bad checksum errors. If I choose a packet number from this window, the packet is not shown, because the filter works. If I clear the filter, the error was cleared in the expert window but I remember the packet number so the bad checksum is shown on the packet list. What`s that, if I use a filter Wireshark tells me more errors as without a filter. Normal??????? ps, the bad checksum error is an stp error!!!!! asked 24 Jan '13, 07:09  mikethebandit31 edited 24 Jan '13, 11:45  Jim Aragon |
One Answer:
Where was that capture taken? There are many cases where the checksum errors where false positives, usually caused by checksum offloading when doing a capture on the sending server or client. Basic rule is: if the checksum would really have been bad it most likely not make it into the capture file in the first place, because it is dropped before it gets there. The expert behaviour sounds a bit strange; it should either show messages regarding only filtered packets or all packets, but it should not have less messages when the filter is cleared. I doubt that you could post the capture file for us to take a look at since it contains customer data, but maybe you could open a bug report at bugs.wireshark.org. answered 24 Jan '13, 07:34  Jasper ♦♦ sorry you right, there were a lot of customer data in it so i can [Edit: moved the comment here since it was obviously attached at the wrong place before] (25 Jan '13, 01:47) mikethebandit31 |
Can you post a sample capture file to cloudshark or wireshark-dev or ...?
Without a capture file, my best guess is that somewhere we have one or more
expert_add_info_format()'s within anif (tree) { ... }block, which is not allowed.