On 2011-09-21 11:36, James Harper wrote:

Does anyone know how to make a rule for tcpdump to catch only packets with a bad checksum? A google search on such things is full of noise from people who don't understand tcp checksum offload...

Hi James, I've done some research, and it appears that tcpdump can't do this itself. Tcpdump supports filtering based on TCP flags (e.g. tcp-syn, tcp-ack), but there's no mention of checksums. However I did notice that both Tshark and Wireshark support this flag in the read (display) filter using the '-R' flag. Search the wireshark-filter(4) manpage for tcp.checksum (also tcp.checksum_good, tcp.checksum_bad). Hope that helps. -- Regards, Matthew Cengia