This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ICMP PING checksum [correct]

0

When looking at the ICMP (not IP) info from a PING conversation, what does the '[correct]' next to 'checksum' pertain to? It appears the checksum being displayed is with respect to the data being sent; if that's the case, how can the PING request say [correct] when it hasn't received anything?
What is being checked to generate the [correct], not just on the requesting side, but both?

asked 05 Nov '12, 08:21

Jim%20Diesel's gravatar image

Jim Diesel
111
accept rate: 0%


2 Answers:

2

[correct] means that Wireshark calculated the value that the checksum field in the ICMP header should have, according to RFC 792, and it's equal to the value it does have. That's all it means. (And, yes, I'm familiar with the Wireshark code; this is the log entry for the checkin that added the code to check the checksum:

------------------------------------------------------------------------
r2522 | guy | 2000-10-20 21:34:47 -0700 (Fri, 20 Oct 2000) | 3 lines

Check ICMP checksum. XXX - won't work if the ICMP packet is inside a fragmented IP datagram, although that's probably extremely unlikely.

answered 05 Nov ‘12, 12:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you.

(05 Nov ‘12, 13:00) Jim Diesel

If a supplied answer resolves your question can you please “accept” it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(05 Nov ‘12, 14:26) grahamb ♦

1

That's the ICMP checksum as defined in RFC 792. The checksum calculation is defined for each type/code combination.

http://www.ietf.org/rfc/rfc792.txt

Cite: Checksum for echo request/response.

Checksum The checksum is the 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type. For computing the checksum , the checksum field should be zero. If the total length is odd, the received data is padded with one octet of zeros for computing the checksum. This checksum may be replaced in the future.

So, to answer your question. The [correct] means that Wireshark calculated the value itself and found that it's the same as the one in the ICMP packet.

Please also check the following question:

http://ask.wireshark.org/questions/11061/icmp-checksum

Regards
Kurt

answered 05 Nov '12, 08:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 05 Nov '12, 12:20

Unfortunately, that's not what I was asking for; please reread my question. In Wireshark, what is the [correct] next to the checksum saying is correct? I've already seen the documentation on calculating the checksum, that's not what I'm asking about, I want to know what Wireshark is saying is correct. Consider your answer before posting, if you aren't familiar with the Wireshark code, please let someone who is answer the question.

(05 Nov '12, 10:16) Jim Diesel