I am using Wireshark (Version 2.2.7 (v2.2.7-0-g1861a96)) and was hoping someone explain why fragmented udp packets with a valid CRC are being marked with Checksum 0x7c21 [incorrect, should be 0xf934] (maybe caused by "UDP checksum offload") even if the packet has the checksum of 0xf934. Any help would be appreciated. Thanks. This question is marked "community wiki". asked 26 Jun '17, 18:27 slb3 |
One Answer:
This sounds as if it's the UDP checksum. If the UDP packet is fragmented, its checksum cannot be calculated unless it's reassembled, so Wireshark can't verify the checksum. If the checksum is reported as incorrect, either it really is incorrect, or it's a packet sent by the machine on which the capture was done and the network adapter is doing checksum offloading (so that the copy of the packet handed to the capture program hasn't had the checksum set), or there's a bug in Wireshark. To determine which of those is the case, we'd need a copy of the capture. Please file a bug on the Wireshark Bugzilla and attach the capture file to it. answered 27 Jun '17, 10:14 Guy Harris ♦♦ Yes. It is a UDP checksum issue. I will post a copy of the pcap file in Wireshark's Bugzillia. Thanks. (27 Jun '17, 10:25) slb3 Bug # 13853 (27 Jun '17, 11:00) slb3 If you could answer the questions posted in the bug, that would be helpful too. (28 Jun '17, 06:33) Jaap ♦ |
Is that the IP checksum or the UDP checksum (neither of which are Cyclic Redundancy Checks)?
When you say fragmented I assume you mean IP fragmentation?
Do you have IP reassembly enabled? If not it may be that we're trying to check the checksum when we're not supposed to be.
It might be simpler if you just posted the PCAP file.
Yes. I meant checksum not crc. I found if I turn off the IPv4 reassembly the "problem" with not calculating the UDP checksum is not marked as an error (but is unverified).