This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can tshark calculate the ethernet Frame Check Sequence?

0

I'm writing a script where I need tshark to calculate the frame check sequence. I know I can output the existing FCS that is stored in the packet with:

$ tshark -T fields -e eth.fcs -r input.cap

But if this FCS is wrong, can tshark calculate the correct one? In wireshark if I open a file where the FCS is wrong, wireshark tells me it's wrong and outputs the value that it should be. Can tshark output the value that it should be instead of just what is stored in the packet data?

Thanks, Jon

asked 31 Jul '13, 15:38

Lemurshark's gravatar image

Lemurshark
26569
accept rate: 0%

Any help is appreciated. I wrote a script that would run several options from tshark to see if it would output the correct, calculated checksum instead of the checksum that is stored in the packet, but I haven't been able to find the right option.

$ for option in $(tshark -G | grep -i "fcs" | awk '{ for (i=2; i<NF; i++) {if ($i ~ /.*\..*/) {print $i; next } } }'); do echo $option; tshark -T fields -e $option -r onebadchecksum.cap 2>/dev/null; done

If I pull up the trace in wireshark, it tells me this:

Frame check sequence: 0x665adc0c [incorrect, should be 0x509e1835]

So wireshark knows what the correct value should be. Can tshark tell me the same thing?

(01 Aug '13, 08:10) Lemurshark

One Answer:

1

Here is how you can view the calculated FCS with tshark:

tshark -o eth.assume_fcs:TRUE -o eth.check_fcs:TRUE -r ethernet-frame-with-fcs.enc -V -O eth
Frame 1: 1518 bytes on wire (12144 bits), 1518 bytes captured (12144 bits)
Ethernet II, Src: OmronTat_0a:0a:02 (00:00:0a:0a:0a:02), Dst: OmronTat_0a:0a:01 (00:00:0a:0a:0a:01)
    Destination: OmronTat_0a:0a:01 (00:00:0a:0a:0a:01)
        Address: OmronTat_0a:0a:01 (00:00:0a:0a:0a:01)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: OmronTat_0a:0a:02 (00:00:0a:0a:0a:02)
        Address: OmronTat_0a:0a:02 (00:00:0a:0a:0a:02)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
    Frame check sequence: 0xf6979097 [incorrect, should be 0x09686f68]
        [FCS Good: False]
        [FCS Bad: True]
            [Expert Info (Error/Checksum): Bad checksum]
                [Message: Bad checksum]
                [Severity level: Error]
                [Group: Checksum]
Internet Protocol Version 4, Src: 10.10.10.2 (10.10.10.2), Dst: 10.10.10.1 (10.10.10.1)
Data (1480 bytes)

I leave it as an exercise for the reader to extract the FCS from the output :-)

answered 01 Aug '13, 14:15

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%