This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

CRC calculation of fragmented UDP packet marked as incorrect. Even if it is verified as valid.

0

I am using Wireshark (Version 2.2.7 (v2.2.7-0-g1861a96)) and was hoping someone explain why fragmented udp packets with a valid CRC are being marked with Checksum 0x7c21 [incorrect, should be 0xf934] (maybe caused by "UDP checksum offload") even if the packet has the checksum of 0xf934. Any help would be appreciated. Thanks.

This question is marked "community wiki".

asked 26 Jun '17, 18:27

slb3's gravatar image

slb3
6113
accept rate: 0%

Is that the IP checksum or the UDP checksum (neither of which are Cyclic Redundancy Checks)?

(26 Jun '17, 18:38) Guy Harris ♦♦

When you say fragmented I assume you mean IP fragmentation?

Do you have IP reassembly enabled? If not it may be that we're trying to check the checksum when we're not supposed to be.

It might be simpler if you just posted the PCAP file.

(27 Jun '17, 06:40) JeffMorriss ♦

Yes. I meant checksum not crc. I found if I turn off the IPv4 reassembly the "problem" with not calculating the UDP checksum is not marked as an error (but is unverified).

(27 Jun '17, 10:02) slb3

One Answer:

0

This sounds as if it's the UDP checksum.

If the UDP packet is fragmented, its checksum cannot be calculated unless it's reassembled, so Wireshark can't verify the checksum.

If the checksum is reported as incorrect, either it really is incorrect, or it's a packet sent by the machine on which the capture was done and the network adapter is doing checksum offloading (so that the copy of the packet handed to the capture program hasn't had the checksum set), or there's a bug in Wireshark.

To determine which of those is the case, we'd need a copy of the capture. Please file a bug on the Wireshark Bugzilla and attach the capture file to it.

answered 27 Jun '17, 10:14

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Yes. It is a UDP checksum issue. I will post a copy of the pcap file in Wireshark's Bugzillia. Thanks.

(27 Jun '17, 10:25) slb3

Bug # 13853

(27 Jun '17, 11:00) slb3

If you could answer the questions posted in the bug, that would be helpful too.

(28 Jun '17, 06:33) Jaap ♦