Is there any reason why the TCP checksum validation would be disabled. I believe I spotted a host communicating to a CnC server then being redirected to another potential drive by download site.

The TCP validation disabled checksum is for incoming traffic from the potential CnC server.

Thanks

asked 09 Feb '11, 02:26

eygobigmoney's gravatar image

eygobigmoney
1111
accept rate: 0%


Yes. The reason is that Wireshark is very often used to capture the network frames of the same PC that is running Wireshark. This usually results in the checksums of outgoing frames being incorrect since they are only calculated for transmission by the network card after they were already recorded by Wireshark. To avoid constant "checksum error" messages it was decided to have the checksum validation disabled by default.

It may sound stupid to disabled checkum validation since we want to find damaged packets with Wireshark when tracking down errors. But the fact is that frames with damaged checksums won't survive much long anyway since every switch or router will probably drop them for being defective - and still, if the frame makes it to your network card it will still drop it before Wireshark even sees it. This is the reason why some commercial sniffers have specialized NIC drivers for certain cards that will allow capturing damaged frames with them.

link

answered 09 Feb '11, 03:12

Jasper's gravatar image

Jasper ♦
14.7k338200
accept rate: 16%

Although Jasper answered "Why are TCP checksums disabled by default" perfectly, I believe your question might not have been answered. Or maybe I just got confused.

I believe your question is how to detect if someone spoofed another host and hijacked your session? Well, this is not the purpose of TCP checksums. It is also not so easy to detect, as it can be done at several levels.

I'm curious though, were you able to spot this by enabling TCP checksum checking? And how?

link

answered 09 Feb '11, 13:07

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

I think when he's talking about CnC servers he means that he suspects a local PC being infected by a botnet agent trying to contact its Command and Control server. To verify that you'd need computer/network forensics. I don't think that it has anything to do with spoofed sessions - but you're right, I only answered in regard to the CRC topic :-)

(10 Feb '11, 02:45) Jasper ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×356
×24

Asked: 09 Feb '11, 02:26

Seen: 10,482 times

Last updated: 10 Feb '11, 02:45

powered by OSQA