[Winpcap-users] (RESOLVED) FCS validation? How?!

Fish fish at infidels.org
Wed Jul 16 08:31:09 GMT 2008

Hash: SHA1

To make a long story short it turns out it was actually a bug in our
emulator wherein it was calculating the size of the Ethernet packet
incorrectly.  <%(

Briefly, all Ethernet packets coming into our emulator from the guest
virtual machine are coming to us in "batches". (This because the
device the guest is writing its packets to is not a true network
adapter device but is instead an IBM "LCS" (Lan Channel Station)
device, which our emulator provides emulation of)

Each Ethernet packet in the batch is preceded by a control header,
and the entire batch is terminated by a 2-byte "EOF" marker. During
the calculation of the size of the Ethernet packet to be written to
WinPcap, we were inadvertently forgetting to compensate for the
2-byte end-of-batch terminator. As a result, the Ethernet packets we
were writing to WinPcap (and thus out on the wire) were always
2-bytes longer than they should have been.

Wireshark (or Packetyzer, etc -- pick the Network Analyzer / packet
sniffer of your choice) would then notice the packet was longer than
it should have been and incorrectly(?) presumed there was a Frame
Check Sequence (FCS) following it that, not unexpectedly, was
incorrect given the frame it was for.

My apologies for bothering the group with this issue but I was at the
time honestly stumped and simply ASS-U-MEd it was the guest that was
appending an FCS. (Oops!)

So problem solved. It's working great now. Thanks anyway.

We now return you to your regularly scheduled program already in
progress. :)

- -- 
"Fish" (David B. Trout) - fish(at)infidels.org
Fight Spam! Join CAUCE! <http://www.cauce.org/>
(Any HTML email received will be deleted unread)
PGP key fingerprints:
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A

Version: PGP 8.1


More information about the Winpcap-users mailing list