Reputation: 4951
Check whether Wireshark file contain bad checksum packets
I am looking for command via command line that tell me whether Wireshark file contain bad checksum packets, not using the GUI but using the command line (maybe via Tshark ?)
i have seen this command here in this forum but cannot find it now.
Upvotes: 2
Views: 5075
Answers (2)
Reputation: 21
You can use:
_ws.expert.group == "Checksum" as the filter, which checks for bad checksum errors.
tshark -r input.pcap -Y '_ws.expert.group == "Checksum"'
Upvotes: 2
Reputation: 2958
You can filter packets that has specific field:value with tshark. For TCP packets there is tcp.checksum_bad field. There can be another field for other protocols. Also fot TCP dissector there is option that enable/disable checksum validation tcp.check_checksum.
So to find packet with bad checksum with tshark:
tshark -o 'tcp.check_checksum:True' -Y 'tcp.checksum_bad==True' -r input.pcap
Also you can try expert.message=="Bad checksum" filter.
Upvotes: 3
Related Questions
- Checking tcp checksum
- Packet data using the checksum?
- TCP Checksum calculation doesn't match with the wireshark calculation
- Verifying Checksum value through Wireshark
- Calculating tcp packet checksum
- Is there a flag/option available to display only bad checksum packets using tcpdump
- Wireshark checksum does not match
- UDP checksum error c++
- Bad Checksum on TCP packets/ UDP traffic is just fine
- Looking for command line query for check if there is Checksum error in Wireshark file