> On Sat, Mar 01, 2014 at 01:49:58PM +0000, Wireshark code review wrote: >> URL: >> https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=104a6edd1fb703c5c2319c893720df86f8c9a9e7 > ... >> 104a6ed by Gerald Combs ([email protected]): >> >> Disable IPv4 checksum verfification to match TCP and UDP. >> >> Offloading seems to be very common nowadays and having this option >> enabled by default generates a lot of false positives. Suggested by >> Laura Chappell. >> >> Change-Id: I285f218efb3c9f164d8ad7a6d6de8270e442ffff
> While this is currently the right thing to do, it might make more sense > to disable all this checksum verification stuff only for outgoing traffic. > Unfortunately our current captures don't support that distinction. What > would be required where to make this possible? > My guess: > - Add a metadata element "direction" to the capture information provided > by the network driver and > - add "direction" element to libpcap packet header and fill it with the > information from above. > How much work would that amount to? The pcap-ng file format has "packet blog flags" in the EPB block type, which has two bits to indicate direction (00 = information not available, 01 = inbound, 10 = outbound). I don't think those flags are being set by dumpcap as of now, but it would be the way to go from my point of view. See http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionepb and http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#appendixPBFM Cheers, Jasper ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
