CODEWITHSUNDEEP
udpwiresharkchecksum
WannabeArchitect
WannabeArchitect

Reputation: 1166

Verifying Checksum value through Wireshark

I'm trying to verify the validity of a checksum value of a UDP packet by checking the packet with Wireshark. In this specific packet I'm looking at, the values of the UDP headers are as follows:

Source port: 53 (0000 0000 0011 0101)

Destination port: 64992 (1111 1101 1110 0000)

Length: 64 (0000 0000 0100 0000)

Now if these values are added, the sum is 65109 (1111 1110 0101 0101)

So I expect the checksum value to be 426 (0001 1010 1010) which is 1's complement of the sum.

But in Wireshark, the checksum value is 0x63c7, and it says that this checksum is correct.

I'd like to know where I'm mistaken. Any help or push in the right direction would be greatly appreciated.

Thanks in advance.

Upvotes: 2

Views: 4936

Answers (1)

Christopher Maynard
Christopher Maynard

Reputation: 6254

If you reference RFC 768, you will find the details you need to properly compute the checksum:

Checksum is the 16-bit one's complement of the one's complement sum of a
pseudo header of information from the IP header, the UDP header, and the
data,  padded  with zero octets  at the end (if  necessary)  to  make  a
multiple of two octets.

The pseudo  header  conceptually prefixed to the UDP header contains the
source  address,  the destination  address,  the protocol,  and the  UDP
length.   This information gives protection against misrouted datagrams.
This checksum procedure is the same as is used in TCP.

                  0      7 8     15 16    23 24    31
                 +--------+--------+--------+--------+
                 |          source address           |
                 +--------+--------+--------+--------+
                 |        destination address        |
                 +--------+--------+--------+--------+
                 |  zero  |protocol|   UDP length    |
                 +--------+--------+--------+--------+

If the computed  checksum  is zero,  it is transmitted  as all ones (the
equivalent  in one's complement  arithmetic).   An all zero  transmitted
checksum  value means that the transmitter  generated  no checksum  (for
debugging or for higher level protocols that don't care).

If you want to see how Wireshark's UDP dissector handles it, you can look at the source code for packet-udp.c. Basically, after setting up the data inputs properly, it essentially just calls the in_cksum() function in the in_cksum.c file to compute it.

You might also want to take a look at RFC 1071, "Computing the Internet Checksum".

Upvotes: 3

Related Questions