[Winpcap-users] FCS validation? How?!

Fish fish at infidels.org
Tue Jul 8 08:26:18 GMT 2008

Hash: SHA1


I hope there's an expert out there that can help me. :)

We've written a DLL that acts as the intermediary between our virtual
machine[1] and the real Windows network (via WinPcap).

The virtual machine writes packets (Ethernet frames) to what it
thinks is a real network adapter and our DLL then asks WinPcap to
write them to the real Windows adapter.[2]

The frames are not modified in any way and are written [to WinPcap]
AS IS (i.e. they are written exactly as they were given to us by the
virtual machine).

Using Packetyzer (and recently Wireshark) to sniff local network
traffic recently, I was surprised to see that each and every packet
coming FROM any of the virtual machines had an invalid Frame Check
Sequence! (FCS).

The question of course is why.

I suspect the virtual machine is, for whatever reason, appending its
own FCS to each frame it writes (to what it THINKS is a real network
adapter[3]) even though as I understand it, it shouldn't actually
need to (since as I understand it that's the responsibility of the
hardware device and not the networking stack software).

My question is simple: how can one manually calculate the FCS for a
given, arbitrary, Ethernet frame?!

I know the algorithm (CRC-32) but what I *don't* know is, how big the
Ethernet frame is.

Oh sure! For IP frames it's easy (just as it is for other well known
protocols such as ARP, RARP, etc), but since the old "frame length"
field is now simply a "protocol" field for Ethernet II, it seems the
only way to know how big a given frame is, is by adding support for
every possible protocol that exists! (which is of course nuts!)

How does WinPcap do it?

Or am I asking this question on the wrong list?

What I'd like to do is make a change to our DLL (that receives these
packets from the virtual machine) that validates the FCS before
they're passed on to WinPcap (or for that matter to verify the frames
even HAVE fcs's, valid or not!), and possibly "fixes them" if they're

But how do I do that?!

How do I determine where the frame ends (how long it is?) and thus
where the FCS is supposed to be?!


- -- 
"Fish" (David B. Trout) - fish(at)infidels.org
Fight Spam! Join CAUCE! <http://www.cauce.org/>
(Any HTML email received will be deleted unread)
PGP key fingerprints:
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A

[1] An IBM mainframe emulator called Hercules:

[2] The reverse is also true as well. Packets (Ethernet frames) that
WinPcap captures from the real network (Windows's adapter) are passed
back to the virtual machine, but this of course isn't relevant to our

[3] Not actually true but close enough. The actual piece of hardware
we're emulating is an IBM "LCS" device (Lan Channel Station) -- a
piece of mainframe networking hardware that connects a mainframe to
an Ethernet network.

[4] It's another question entirely as to WHY they're wrong in the
first place. It could well be that this particular piece of mainframe
hardware doesn't use CRC-32 FCS's for some reason, and instead relies
on the software to calculate some sort of non-standard checksum or
something. <shrug> I don't know. It's something I need to look into.

Version: PGP 8.1


More information about the Winpcap-users mailing list