I searched through this year's worth of the mailing list archives so
if this was talked about prior to that, please point me in that
direction
Platform:
Darwin localhost 5.3 Darwin Kernel Version 5.3 / OS X version 10.1.3
Tested programs:
tcpdump linked with apple's libpcap
tcpdump-2002.03.27 linked with libpcap-2002.03.27
snort linked with libpcap 0.6.2
ethereal linked with libpcap 0.6.2
Command line:
tcpdump -i en0 -s 1500 -w singleweb.cap host 10.1.1.3 and port 80
For traffic originating at my local machine to a remote machine all
the TCP checksums I sniff out are invalid. They are correct when
sniffed off the wire at the other end. I've not tested purely
passively but my guess is that would work.
Example:
Same packet both ways:
Correct/sniffed on OBSD 2.9(except for the clock time):
TCP Header Checksum = 0x193c
09:26:39.015815 10.1.1.52.49563 > 10.1.1.3.80:
S 4079637907:4079637907(0) win 32768
<mss 1460,nop,wscale 0,nop,nop,timestamp 364772 0> (DF)
4500 003c d416 4000 4006 506d 0a01 0134
0a01 0103 c19b 0050 f32a 5593 0000 0000
a002 8000 193c 0000 0204 05b4 0103 0300
0101 080a 0005 90e4 0000 0000 af00 0c0c
# oops this server's clock is off
Incorrect/sniffed on OS X 10.1.3
TCP Header Checksum = 0x1667
11:24:23.123238 10.1.1.52.49563 > 10.1.1.3.80: S 4079637907:4079637907(0) win 32768
<mss 1460,nop,wscale 0,nop,nop,timestamp 364772 0> (DF)
4500 003c d416 4000 4006 506d 0a01 0134
0a01 0103 c19b 0050 f32a 5593 0000 0000
a002 8000 1667 0000 0204 05b4 0103 0300
0101 080a 0005 90e4 0000 0000
My guess is it could be a Darwin driver issue but not sure.
--
Chris Green <[EMAIL PROTECTED]>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
