This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Acc. to Wireshark, 99.9% of my outgoing packets have a bad checksum…

2
1

Pretty much stated above. When applying the filter ip.src == <my IP>, almost all of the packets are color-coded "bad checksum". It claims all of the packets' checksums are 0x0000. ATM, I have ~2500 packets in the filter, and probably less than 10 of them aren't highlighted as having a bad checksum. Is this a bug in Wireshark, or is something seriously wrong with my internet connection?

asked 25 Oct '10, 16:35

hmmwhatsthisdo's gravatar image

hmmwhatsthisdo
31347
accept rate: 0%

edited 25 Oct '10, 16:52


2 Answers:

2

Answer: neither....

Sounds like checksum offloading.

See:

http://wiki.wireshark.org/CaptureSetup/Offloading

http://wiki.wireshark.org/TCP_Checksum_Verification

In a nutshell: the NIC card does the checksum calculation just before sending the packet on the wire.
So: when Wireshark gets the packet, the checksum is 0 because it hasn't been calculated yet.

There's no actual problem. See the referenced links for how to disable the verification of the checksum in Wireshark.

(Ps: Please use "comment" rather than "answer": See the FAQ as to how ask.wireshark works)

answered 25 Oct '10, 16:58

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 25 Oct '10, 17:23

And, this won't do any sort of damage to my network connection?

EDIT: It seems to have helped. Apparently there's 5 different options you need to (un)set in the network adapter - IPv4 Checksum Offload, TCP Checksum Offload (one for IPv4 and one for IPv6), and UDP Checksum Offload (same situation as TCP).

(25 Oct '10, 17:00) hmmwhatsthisdo
2

You don't want to disable checksum offloading in the adapter - you can disable verification of checksums in Wireshark so this doesn't bother you.

Edit > Preferences > + Protocols .... disable Validate the x Checksum if possible in UDP, TCP and IP

(25 Oct '10, 18:12) lchappell ♦

Why wouldn't I want to disable checksum offloading in the adapter? Is it some sort of security risk?

(25 Oct '10, 18:16) hmmwhatsthisdo
2

It's some sort of potential performance risk - if disabled, the CPU has to fetch every byte of the packet data to compute the checksum in the CPU, but, if enabled, the adapter, which has to fetch every byte anyway to transmit it, can compute the checksum in its hardware.

(25 Oct '10, 19:00) Guy Harris ♦♦

So, do you recommend I disable checksum offloading in Windows, disable checksum verification in WS, or both?

(25 Oct '10, 19:01) hmmwhatsthisdo

It's better to disable on the WS side. I'm having the same problem because some pcs can connect to the server and other can't. So I run the WS on the server side but it shows me a lot of Offloading IP checksum errors. Can the network adapter be damaged?

(05 Oct '12, 11:16) Brennero Pardo

@Brennero Pardo: If it shows them on outgoing packets, then it's the same problem. If you want to see the checksums of all packets on the wire/on the air, you'd need to run a sniffer on a separate machine and passively tap the network, or run it on both client and server and look at the checksums only on packets received by each of the machines.

(05 Oct '12, 11:29) Guy Harris ♦♦
showing 5 of 7 show 2 more comments

1

For right now, I'd disable checksum verification in Wireshark if the false alarms bother you.

One point of interest...if the machine in question is running Windows Server 2003 SP2 or Windows Small Business Server, there are specific client/server performance issues related to those features. See http://support.microsoft.com/kb/948496 if you are running either of those operating systems.

answered 26 Oct '10, 10:46

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%