This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How is wireshark validating this incomplete checksum?

0

I have a IPv6 network. I sent a big, non-fragmentable ping. The packet tried to cross over a small link, and I got a "Packet too Big" ICMP error out of it. So far, so good.

Here is some relevant background data I'd like you make sure you're considering:

  • An ICMP error contains as "payload" the original packet which caused the error.
  • This "inner" packet can be truncated. This is perfectly legal.

The "Packet too Big" is the fourth packet in the listing below. As you can see, Wireshark is complaining because the checksum of the inner packet (ie. the original packet) is incorrect.

capture pic

Why is Wireshark complaining?

The inner packet's IPv6 header reports there should be 1408 bytes of payload, but this data was largely truncated, as you can see, so it shouldn't be possible to validate that particular checksum.
Is there some checksum computation black magic I'm not aware of?

Incidentally, the original packet (the ping) is also present in the capture, but its checksum is not 0xc30e either. Here is the capture.

My About says I'm using Wireshark "Version 1.10.6 (v1.10.6 from master-1.10)", Ubuntu 14.04.

asked 24 Oct '14, 08:26

ydahhrk's gravatar image

ydahhrk
16114
accept rate: 0%

edited 24 Oct '14, 08:28


One Answer:

0

Why is Wireshark complaining?

If it's calculating a checksum for an incomplete packet, it's complaining because it's buggy.

Please file a bug on this on the Wireshark Bugzilla, and attach the capture to it.

answered 24 Oct '14, 15:34

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 24 Oct '14, 15:34

(24 Oct '14, 17:02) ydahhrk