Wireshark · Ethereal-users: Re: [Ethereal-users] Invalid ICMP Checksum

[Guy Harris <gharris@xxxxxxxxx>]

Scott Fringer wrote:

>   A colleague and I are working through a capture file with fragmented
> ICMP packets.  In every one of these, only the initial part of the ICMP
> echo request or echo reply is decoded as ICMP (the remaining fragments
> are decoded as IP).    
>
>   In the initial fragment of the ICMP packet, the ICMP checksum is not
> listed as "correct" (as it is in single frame ICMP packets).  So we are
> deducing that the ICMP checksum is incorrect.

"Not listed as correct" does not imply "incorrect".  If it's incorrect, 
it'll be listed as incorrect; if it's not listed as incorrect, and not 
listed as correct, it means it hasn't been checked at all...

> Is this related to the
> fact that the ICMP packet is composed of multiple fragments (and hence
> the checksum can not be successfully computed)?

...which will happen if the packet is fragmented and wasn't reassembled.

> Is there a way to stitch
> all of the ICMP fragments together to verify the ICMP checksum is valid?

Turn on the "Reassemble fragmented IP datagrams" option in the 
preferences for IP.  (Select Preferences from the Edit menu, open up the 
"Protocols" list in the dialog box, select "IP", turn on the option, and 
click "OK" to turn it on in this session or click "Save" to turn it on 
in this session and save all the current preference settings as 
permanent settings.)