[tcpdump-workers] Better dumping of packets with bad TCP checksums?
Question: -- Is there a way to command-line filter tcpdump so that only packets with bad TCP checksums are dumped? (I rtfm'd but couldn't find it, but it seemed useful/simple enough that I might be missing something. Hence I'm asking here.) Background: -- I've been reading up on tcpdump to try to track down some packet corruption I'm seeing with an application we've built. The corruption seems to only happen on packets with certain characteristics. I've figured out how to dump packets that correspond to one highly-specific instance of corruption that we can replicate: tcpdump -i fxp1 -l -s 1023 -X 'tcp[342]=67 and tcp[343]=97 and tcp[346]!=101' But I don't know how to flag a more general case of TCP checksum mismatching. I do know how to use the -v command to dump packets in such a way that it shows if the TCP checksum header does or does not match: tcpdump -i fxp1 -l -s 1023 -X -v 11:08:50.563045 x1.blah.com.3076 x2.blah.com.http: P [bad tcp cksum dc08!] 1:396(395) ack 1 win 8760 (DF) (ttl 113, id 39274, len 435) And I can certainly grep through huge dumps. What I haven't found is whether there's some sort of expression I can use with tcpdump that will only dump packets with bad checksums. Advice? Related question: --- Preliminary testing indicates that the corruption is generated by a cheap and common NAT box, even with the latest firmware. So it may not be in my control to fix the problem given NATs in the wild, but I'd like to be alerted (to aid customer troubleshooting) if it happens on an ongoing basis. Is there a particular tool/approach anyone would recommend for flagging/logging the existence of incoming corrupted TCP/IP packets? Thanks much, Greg Weiss P.S. Sentence 2 in the man page should refer to the -r flag, not the -b flag, right? - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Better dumping of packets with bad TCP checksums?
On Jul 30, 2004, at 10:14 AM, Greg Weiss wrote: Is there a way to command-line filter tcpdump so that only packets with bad TCP checksums are dumped? No. The BPF filtering mechanism can't handle it, as there's no way for it to compute a checksum, and the filtering mechanism is BPF-based. A separate mechanism could probably be added in tcpdump - note that it won't work if you use a snapshot length shorter than the full length of the packet (because the checksum can't be computed unless you have all the data) or if the TCP segment is fragmented at the IP layer, and it wouldn't do anything useful for packets sent by the machine running tcpdump (and, in fact, might have to forego checking those packets if the interface on which they're being sent does TCP checksum offloading). In order to support a short snapshot length, there'd have to be OS kernel changes to do the check in the kernel *and* supply the results of the check to libpcap (e.g. a BPF instruction to do a checksum check), or, if checksum checking were done, the snapshot length used when getting packets from the kernel would have to be something large enough to get the entire packet, and the packet would have to be cut off in userland. Is there a particular tool/approach anyone would recommend for flagging/logging the existence of incoming corrupted TCP/IP packets? An intrusion detection system, if sufficiently user-configurable, might support that. (It'd have to look at all the incoming TCP packets to do that.) P.S. Sentence 2 in the man page should refer to the -r flag, not the -b flag, right? In tcpdump 3.7.2 and later, it *does* refer to the -r flag; it referred to -b in 3.7.1, but 3.7.2 fixes a problem in the ISAKMP parser for which there's a security advisory. The current version is 3.8.3; hopefully no current version of any OS is shipping 3.7.1. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
