> If Ethereal (or any other sniffing program that checks TCP checksums,
> e.g. tcpdump) is run on a network interface where the interface
> generates the TCP checksum and on an OS that uses that feature (and thus
> doesn't bother generating the checksum itself), and where the interface
> doesn't see its own packets and thus outgoing packets are seen by
> sniffers as handed to the interface rather than as put onto the wire
> (which is the case for most if not all Ethernet interfaces), the sniffer
> will report incorrect TCP checksums but the checksum on the wire will be
> correct.
I agree that you have to use a third machine (and a HUB or a mirror port) if you
really want to see what is on the wire.
However in most cases (when you not are fighting with low-level errors;-) I guess
the average user would expect to see what are (supposed to be) sent on the wire.
I would recommend that PCAP (or WinPCAP) detects whether checksums are calculated
below it on outgoing packets (based on OS and/or driver).
If true then it could insert the correct checksums before passing the packets
to the client (Ethereal).
The net result would be that the user don't see any incorrect checksum errors
and that TCP-desegmentation works with the default settings.
I have not posted this on the PCAP mailing-list(s) because I currently not subscribe
to those (feel free to cross post it - I don't have time right now;-).
Regards,
Mads Bligaard Nielsen
Core Software Development, Ericsson Diax
