TCP Checksum does not match the wireshark checksum (off by exactly 1)

Question

I have the following process to calculate the tcp checksum

static inline uint32_t
csum_part(const void *buf, size_t len, uint32_t sum)
{
   uintptr_t p = (uintptr_t)buf;

   while (len > 1)
   {
      sum += *(uint16_t *)p;
      len -= 2;
      p += 2;

   }     

   if (len)
     sum += *(uint8_t *)p;


return sum;
}

and the following function to pack it

uint16_t calc(uint32_t x)
{
  while((x >> 16) != 0) 
  x = (x & 0xffff) + (x>>16);

  return ~x;
}

When I calculate the checksum for the header I use the following code

uint32_t calc_tcp_checksum(char * pkt, int hdrlen, int pktlen) {

  struct ip *  ih = (struct ip *)
    (pkt+ hdrlen - sizeof(struct tcphdr) - sizeof(struct ip));


  struct tcphdr *  th = (struct tcphdr *)
    (pkt + hdrlen - sizeof(struct tcphdr));


#ifndef __FAVOR_BSD
  th->check = 0;
#else
  th->th_sum = 0;
#endif
  //th->

  uint32_t header_chksum = csum_part(th, sizeof(struct tcphdr), 0);

  uint32_t pseudo = (uint32_t)ih->ip_src.s_addr + ih->ip_dst.s_addr +
    htons(IPPROTO_TCP) + htons(pktlen); 


  header_chksum += pseudo;

  return header_chksum;

}

I have a packet which is the following

0000   58 f3 9c 81 2b bc 00 1c 73 13 1f 94 08 00 45 00
0010   00 dc 00 00 40 00 40 06 40 19 0a e6 35 90 ac 13
0020   0d 7a b9 be 2a 44 63 36 c2 98 c7 82 d0 1e 50 18
0030   10 00 eb 15 00 00 00 b4 00 00 09 cd 1c fb 66 40
0040   ec c7 0d 30 cb 0b e4 cb 88 74 13 3d 4e 20 00 00
0050   9a d6 00 00 00 00 9f db 4f 50 54 49 44 58 42 41
0060   4e 4b 4e 49 46 54 59 20 4d 03 8a e8 00 2d ed d0
0070   43 45 46 4e 45 30 30 30 37 20 20 20 00 01 00 02
0080   00 00 00 00 00 00 00 4b 00 00 a7 7b 00 00 00 00
0090   02 00 00 02 00 00 9a d6 39 30 30 35 39 4f 49 43
00a0   49 43 49 30 30 30 30 35 32 30 00 01 02 00 b0 6d
00b0   c8 04 42 f6 bd f9 52 7c 42 80 41 41 45 43 45 32
00c0   34 31 33 51 00 00 a1 e4 00 00 00 00 00 00 00 00
00d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00e0   00 00 00 00 00 00 00 00 00 00 72 dd 89 69

In the example above, pktlen = 180 hdrlen = 54

I get the checksum to be 0xeb15, wireshark says it's 0xea15. What am I doing wrong? Note that it always is not incorrect, just sometimes.

Answer 1

Section 4.1 of RFC 1071 - Computing the Internet Checksum provides implementation example in "C", which seems to be the method you're basing your implementation from. Except that the RFC 1071 example combines the folding part within the same function that computes the checksum, whereas your implementation does not. RFC 1071 obviously assumes that the pseudo-header is already included in the buffer pointed to by addr , but again, yours does not. This would all be OK, except that you never actually fold the final result by calling your calc() function, at least not that I can see.

So for your implementation, it would seem that any computed TCP checksum that doesn't have any bits set in the upper 16-bits of the 32-bit accumulator will be correct, but any computed checksum that does have at least 1 bit set in the upper 16-bits of the accumulator will result in an incorrect TCP calculation. I believe this would explain why some checksums your code computes are correct and some are wrong.

And in case you're interested, you can have a look at Wireshark's implementation of Internet checksums in in_cksum.c as well as how it's called from the TCP dissector .