> On Sat, Mar 01, 2014 at 01:49:58PM +0000, Wireshark code review wrote:
>> URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=104a6edd1fb703c5c2319c893720df86f8c9a9e7
> ...
>> 104a6ed by Gerald Combs (gerald@xxxxxxxxxxxxx):
>>
>> Disable IPv4 checksum verfification to match TCP and UDP.
>>
>> Offloading seems to be very common nowadays and having this option
>> enabled by default generates a lot of false positives. Suggested by
>> Laura Chappell.
>>
>> Change-Id: I285f218efb3c9f164d8ad7a6d6de8270e442ffff
> While this is currently the right thing to do, it might make more sense
> to disable all this checksum verification stuff only for outgoing traffic.
> Unfortunately our current captures don't support that distinction. What
> would be required where to make this possible?
> My guess:
> - Add a metadata element "direction" to the capture information provided
> by the network driver and
> - add "direction" element to libpcap packet header and fill it with the
> information from above.
> How much work would that amount to?
The pcap-ng file format has "packet blog flags" in the EPB block type,
which has two bits to indicate direction (00 = information not
available, 01 = inbound, 10 = outbound). I don't think those flags are
being set by dumpcap as of now, but it would be the way to go from my
point of view.
See
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionepb
and http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#appendixPBFM
Cheers,
Jasper
