locked
capture by wireshark , it shows my packet has IP checksum error RRS feed

  • Question

  • capture by wireshark , it shows my packet has IP checksum error.Here's the code, is it had any error?

    NTSTATUS CalculateIPChecksum(IN PNET_BUFFER pNetBuffer)
    {
     PMDL   pMdl        = NULL ;
     PUCHAR pIPChecksum = NULL ;
     UINT   mdlOffset   = 0,
      pktOffset   = 0,
      ipHeaderLen = 0 ;
     UINT32 ipSum       = 0 ;

     while( pNetBuffer )
     {
      pIPChecksum = NULL ;
      ipHeaderLen = 0 ;
      ipSum       = 0 ;
      pktOffset   = 0 ;

      pMdl      = NET_BUFFER_CURRENT_MDL(pNetBuffer) ;
      mdlOffset = NET_BUFFER_CURRENT_MDL_OFFSET(pNetBuffer) ;

      while( pMdl )
      {
       PUCHAR pBuffer ;
       UINT   mdlLen = 0, bufOffset = 0, copyLen ;

       NdisQueryMdl(pMdl, (PVOID*)&pBuffer, &mdlLen, HighPagePriority) ;
       if( pBuffer == NULL )
       {
        DPRINT(WA_DEBUG_ERR, ("Error: Failed to retrieve MDL buffer due to exhausted system.")) ;
        return STATUS_INSUFFICIENT_RESOURCES ;
       }

       if( mdlOffset > 0 )
       {
        pBuffer += mdlOffset ;
        mdlLen  -= mdlOffset ;
        mdlOffset = 0 ;
       }

       while( mdlLen - bufOffset > 0 )
       {
        UCHAR ch = pBuffer[bufOffset] ;

        switch( pktOffset )
        {
        case 0:
         ipHeaderLen = (ch & 0x0F) * 4 ;
         break ;

        case 10:
         pIPChecksum = pBuffer + bufOffset ;
        }
        if( pktOffset < ipHeaderLen && pktOffset != 10 && pktOffset != 11 )
         ipSum += (pktOffset % 2 == 0) ? (ch<<8) : ch ;

        bufOffset++ ;
        pktOffset++ ;

        if( pktOffset >= ipHeaderLen )
         goto finish ;
       }
       NdisGetNextMdl(pMdl, &pMdl) ;
      }
    finish:
      while( ipSum >> 16 )
       ipSum = (ipSum & 0xFFFF) + (ipSum>>16) ;

      ipSum = ~ipSum ;

      
                    if( pIPChecksum != NULL )
      {
       *(pIPChecksum+0) = (UCHAR)((ipSum & 0xFF00) >> 8) ;
       *(pIPChecksum+1) = (UCHAR)(ipSum & 0x00FF) ;
      }

      pNetBuffer = NET_BUFFER_NEXT_NB(pNetBuffer) ;
     }
     return STATUS_SUCCESS ;
    }

     

    Monday, September 6, 2010 8:57 AM

Answers

  • Monkey,

    1.) On Windows when you monitor packets that are send by the local host you don't actually see the packet as it was sent on th ewire. Instead you see a software loopback of the original packet that was sent by the host TCP/IP protocol.

    2.) These days most network adapters support what they call "checksum offload". In this case the host TCP/IP protocol doesn't have to calculate the checksum - the adapter will do it.

    Combining 1.) and 2.) in WireShark for outbound packets you will see a software loopback before the adapter has calculated the checksum. WireShark will naturally show this as a bad checksum. If you use WireShark to observe that same packet on the wire somewhere else (say at the receiver...) you would see the checksum as correct.

    Thomas F. DIvine

    http://www.pcausa.com

     


    Thomas F. Divine http://www.pcausa.com
    Monday, September 6, 2010 12:39 PM

All replies

  • Monkey,

    1.) On Windows when you monitor packets that are send by the local host you don't actually see the packet as it was sent on th ewire. Instead you see a software loopback of the original packet that was sent by the host TCP/IP protocol.

    2.) These days most network adapters support what they call "checksum offload". In this case the host TCP/IP protocol doesn't have to calculate the checksum - the adapter will do it.

    Combining 1.) and 2.) in WireShark for outbound packets you will see a software loopback before the adapter has calculated the checksum. WireShark will naturally show this as a bad checksum. If you use WireShark to observe that same packet on the wire somewhere else (say at the receiver...) you would see the checksum as correct.

    Thomas F. DIvine

    http://www.pcausa.com

     


    Thomas F. Divine http://www.pcausa.com
    Monday, September 6, 2010 12:39 PM
  • thanks for your reply.

    but I think I must used it. Because when I remove this code(IP checksum , TCP checksum, UDP checksum),  server can not recv any data.

    Tuesday, September 7, 2010 2:10 AM
  • Is this code in a NDIS filter?

    If so, then your code is doing the calculations correctly - since the server is getting them.

    BUT WireShark may be seeing the original packet (from higher than your filter) and the original packet did not have correct checksum.

    In any case don't expect WireShark to tell the truth when it is running on the same host as your driver. If you ran WireShark on the server you will see the packet as it actually was on the wire - and that is what is important.

    Good luck!

    Thomas F. Divine

     


    Thomas F. Divine http://www.pcausa.com
    Tuesday, September 7, 2010 2:30 AM
  • Hi Thomas:

          This code was WFP driver , it used to inject the packet(change ip and port) and send out;thank you

    Tuesday, September 7, 2010 5:13 AM