Pretty much stated above. When applying the filter ip.src == <my IP>, almost all of the packets are color-coded "bad checksum". It claims all of the packets' checksums are 0x0000. ATM, I have ~2500 packets in the filter, and probably less than 10 of them aren't highlighted as having a bad checksum. Is this a bug in Wireshark, or is something seriously wrong with my internet connection?

asked 25 Oct '10, 16:35

hmmwhatsthisdo's gravatar image

accept rate: 0%

edited 25 Oct '10, 16:52

Answer: neither....

Sounds like checksum offloading.


In a nutshell: the NIC card does the checksum calculation just before sending the packet on the wire.
So: when Wireshark gets the packet, the checksum is 0 because it hasn't been calculated yet.

There's no actual problem. See the referenced links for how to disable the verification of the checksum in Wireshark.

(Ps: Please use "comment" rather than "answer": See the FAQ as to how ask.wireshark works)


answered 25 Oct '10, 16:58

Bill%20Meier's gravatar image

Bill Meier ♦♦
accept rate: 15%

edited 25 Oct '10, 17:23

And, this won't do any sort of damage to my network connection?

EDIT: It seems to have helped. Apparently there's 5 different options you need to (un)set in the network adapter - IPv4 Checksum Offload, TCP Checksum Offload (one for IPv4 and one for IPv6), and UDP Checksum Offload (same situation as TCP).

(25 Oct '10, 17:00) hmmwhatsthisdo

You don't want to disable checksum offloading in the adapter - you can disable verification of checksums in Wireshark so this doesn't bother you.

Edit > Preferences > + Protocols .... disable Validate the x Checksum if possible in UDP, TCP and IP

(25 Oct '10, 18:12) lchappell ♦

Why wouldn't I want to disable checksum offloading in the adapter? Is it some sort of security risk?

(25 Oct '10, 18:16) hmmwhatsthisdo

It's some sort of potential performance risk - if disabled, the CPU has to fetch every byte of the packet data to compute the checksum in the CPU, but, if enabled, the adapter, which has to fetch every byte anyway to transmit it, can compute the checksum in its hardware.

(25 Oct '10, 19:00) Guy Harris ♦♦

So, do you recommend I disable checksum offloading in Windows, disable checksum verification in WS, or both?

(25 Oct '10, 19:01) hmmwhatsthisdo

It's better to disable on the WS side. I'm having the same problem because some pcs can connect to the server and other can't. So I run the WS on the server side but it shows me a lot of Offloading IP checksum errors. Can the network adapter be damaged?

(05 Oct '12, 11:16) Brennero Pardo

@Brennero Pardo: If it shows them on outgoing packets, then it's the same problem. If you want to see the checksums of all packets on the wire/on the air, you'd need to run a sniffer on a separate machine and passively tap the network, or run it on both client and server and look at the checksums only on packets received by each of the machines.

(05 Oct '12, 11:29) Guy Harris ♦♦
showing 5 of 7 show 2 more comments

For right now, I'd disable checksum verification in Wireshark if the false alarms bother you.

One point of interest...if the machine in question is running Windows Server 2003 SP2 or Windows Small Business Server, there are specific client/server performance issues related to those features. See if you are running either of those operating systems.


answered 26 Oct '10, 10:46

wesmorgan1's gravatar image

accept rate: 5%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25 Oct '10, 16:35

Seen: 28,127 times

Last updated: 05 Oct '12, 11:29

powered by OSQA