Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] master 104a6ed: Disable IPv4 checksum ve
From: Jasper Bongertz <[email protected]>
Date: Sun, 2 Mar 2014 15:14:14 +0100
> On Sat, Mar 01, 2014 at 01:49:58PM +0000, Wireshark code review wrote:
>> URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=104a6edd1fb703c5c2319c893720df86f8c9a9e7
> ...
>> 104a6ed by Gerald Combs ([email protected]):
>> 
>>     Disable IPv4 checksum verfification to match TCP and UDP.
>>     
>>     Offloading seems to be very common nowadays and having this option
>>     enabled by default generates a lot of false positives. Suggested by
>>     Laura Chappell.
>>     
>>     Change-Id: I285f218efb3c9f164d8ad7a6d6de8270e442ffff

> While this is currently the right thing to do, it might make more sense
> to disable all this checksum verification stuff only for outgoing traffic.
> Unfortunately our current captures don't support that distinction. What
> would be required where to make this possible?
> My guess:
> - Add a metadata element "direction" to the capture information provided
>   by the network driver and
> - add "direction" element to libpcap packet header and fill it with the
>   information from above.
> How much work would that amount to?

The pcap-ng file format has "packet blog flags" in the EPB block type,
which has two bits to indicate direction (00 = information not
available, 01 = inbound, 10 = outbound). I don't think those flags are
being  set by dumpcap as of now, but it would be the way to go from my
point of view.

See
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionepb
and http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#appendixPBFM

Cheers,
Jasper