Ask Your Question
0

tcp checksum offload and non-zero value

asked 2018-11-23 19:10:44 +0000

I have capture taken from a CentOS 7 VM where several TCP packets show an incorrect checksum possibly caused by "TCP checksum offloading".

There is an unusually high volume of these packets (73) for it be legitimate it seems. The value of this field is not zero however.

My question is when TCP checksum offloading occurs, should this value be zeroed? If not, any ideas what happened here?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-11-24 21:12:30 +0000

andrew007 gravatar image

I have been trying to check the TCP checksum offload and non zero value in the network system which when I check I could not understand the value. I have got the error code 43 mac in my MacBook pro which I was looking to fix with easy steps.

edit flag offensive delete link more
0

answered 2018-11-23 20:26:11 +0000

updated 2018-11-24 06:12:51 +0000

Just checked some of my traces.

So I found the next. Among the packets with wrong checksum:

  • All TCP checksums I've seen are nonzero;
  • All UDP checksums I've seen are nonzero too;
  • IP checksums sometimes are zeroed, sometimes are not.

It would be nice to hear where these checksums fields are coming from. Probably it depends on TCP stack implementation.

As for high volume I don't see any problem with that, there might be tons of such packets (basically all of the sent packets containing TCP).

edit flag offensive delete link more

Comments

@Packet_vlad you misunderstood. Of course all the packets will have checksums. That is not the issue. The TCP packets are being reported as having an INCORRECT checksum.

There is a problem if you have a high volume of packets with incorrect checksums. Furthermore, the packets were replied to which means the receiver didn't determine the checksums were invalid.

This is most likely do to TCP checksum offloading but I was under the impression that there will be no checksum in this instance because Wireshark captures the frame before the checksum is actually computed.

vsharker gravatar imagevsharker ( 2018-11-23 23:22:35 +0000 )edit

"No checksum" doesn't necessarily mean "checksum field is zero" - it might be that, when transmitting packets on an interface that does checksumming of outgoing IP/TCP or IP/UDP packets, the networking stack not only doesn't bother generating a checksum, it doesn't even bother zeroing out the checksum fields, leaving whatever junk was there in memory.

Guy Harris gravatar imageGuy Harris ( 2018-11-23 23:58:47 +0000 )edit

@Guy Harris that could be the case. It would be great if someone could confirm.

vsharker gravatar imagevsharker ( 2018-11-24 00:01:07 +0000 )edit

@vsharker The statistics I wrote about in my answer was regarding packets that ALL have "Incorrect checkum" warning. Just different type of wrong checksum (TCP/UDP/IP). Sorry, I wasn't clear enough. I corrected the answer.

For sure the receiver doesn't consider these checksums invalid because they get overwritten by NIC with another correct ones so it doesn't matter whether you have large volume of them.

Packet_vlad gravatar imagePacket_vlad ( 2018-11-24 06:04:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-23 19:10:44 +0000

Seen: 47 times

Last updated: Nov 24