Huang Tao wrote: > When I use winpcap to capture the outbound TCP packet, for the ack message which is just 40 byte long with IP header and TCP header only, > the checksum in the tcp header is wrong. > > For example, I capture the TCP packets during a TCP connection. > There are totally three tcp packets will be captured. The SYN packet, SYN ACK packet and the ACK packet. > The checksum in the tcp header of the first two tcp packet are both correct, but for the last ACK packet, the checksum > is wrong. > But I also use winpcap to capture the packet in another computer in the same subnet and also capture these three packet. > I found that the tcp checksum of the third packet captured by this computer is correct. I am really confused........
> It seems that the NIC change the tcp checksum before sending it out? or the packet is not correctly captured by winpcap? The computer you are capturing the packets on is probably using TCP checksum offloading for outgoing packets. The calculation of checksum is then calculated by the network interface. http://www.ethereal.com/faq.html#q5.14 > > Another problem I found is the length of the third packet. > the caplen of the third packet captured in the first computer is 54(14 MAC + 20 IP + 20 TCP) byte and the len in IP header is also 40 bytes. > but the caplen of the third packet captured in the second computer is 60(14 MAC + 20 IP + 20 TCP + 6 ??? ) byte and the len in IP header is stil 40 bytes. > because the 4 bit TCP Header length is 5 which means the length of TCP header should be 20 byte, then what is the last 6 byte for ????? > Ethernet packets are 64 bytes minimum when sent over the wire (60 bytes + 4 bytes FCS/CRC). The CRC is normally not visible when capturing with winpcap http://wks.uts.ohio-state.edu/sysadm_course/html/sysadm-326.html There is 6 bytes padding on the incoming packet. For outgoing packets the padding is normally not visible in the capture since it is added afterwards. ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
