This project is read-only.

Fix packet with wrong checksum

Jan 31, 2015 at 11:13 AM
I have several Pcap file with bad checksum and in order to fix those files i am using this:
        private Packet FixBadChecksum(Packet packet)
                EthernetLayer ethernet = (EthernetLayer)packet.Ethernet.ExtractLayer();
                IpV4Layer ipV4Layer = (IpV4Layer)packet.Ethernet.IpV4.ExtractLayer();
                DateTime packetTimestamp = packet.Timestamp;
                TransportLayer transportlayer = GetTransportLayer(packet);
                ILayer datagramLayer = (PayloadLayer)packet.Ethernet.IpV4.Payload.ExtractLayer();
                ipV4Layer.HeaderChecksum = null;

                if (transportlayer == null)
                    return PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, datagramLayer);
                    transportlayer.Checksum = null;
                    ILayer payload = packet.Ethernet.IpV4.Transport.Payload.ExtractLayer();
                    return PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, transportlayer, payload);
            catch (Exception)
                return packet;
Now for example my packet is ICMP after this packet (with bad checksum) finish my function it's still with bad checksum, so my question is: i need to check first every packet protocol or there is a generic method how to do that ? (currently my function working fine with TCP and UDP but what about other protocols ?)
Jan 31, 2015 at 2:11 PM
Can you post an example for a pcap files with a single packet before and after this function?
Jan 31, 2015 at 3:02 PM
Feb 6, 2015 at 12:46 PM
Hi psptst1,

Looking at your icmp_bad.pcap file, it seems that all packets of the packets are ICMP over IPv4 packets and they all have correct IPv4 checksum.

The bad checksums you see are the checksums of the IPv4 header or the TCP over IPv4 header inside the ICMP.
These checksums are likely to be bad because the data over ICMP is only a partial copy of the packet that was sent to which the ICMP was returned.

I don't see any reason to try and fix these checksums.

If you do want to fix them for some reason, you will have to fix the IPv4 layer over ICMP.
And possible the checksum in the Transport layer over the IPv4 layer over ICMP.
The reason the packets are marked in black in Wireshark is not because of the bad checksums you see.
It is because of the fact that these are Destination Unreachable ICMP packets which indicate a problem with the packets that were sent to which these packets were likely created.

I hope this helps,