I have capture taken from a CentOS 7 VM where several TCP packets show an incorrect checksum possibly caused by "TCP checksum offloading".
There is an unusually high volume of these packets (73) for it be legitimate it seems. The value of this field is not zero however.
My question is when TCP checksum offloading occurs, should this value be zeroed? If not, any ideas what happened here?
I have been trying to check the TCP checksum offload and non zero value in the network system which when I check I could not understand the value. I have got the error code 43 mac in my MacBook pro which I was looking to fix with easy steps.
Just checked some of my traces.
So I found the next. Among the packets with wrong checksum:
It would be nice to hear where these checksums fields are coming from. Probably it depends on TCP stack implementation.
As for high volume I don't see any problem with that, there might be tons of such packets (basically all of the sent packets containing TCP).
@Packet_vlad you misunderstood. Of course all the packets will have checksums. That is not the issue. The TCP packets are being reported as having an INCORRECT checksum.
There is a problem if you have a high volume of packets with incorrect checksums. Furthermore, the packets were replied to which means the receiver didn't determine the checksums were invalid.
This is most likely do to TCP checksum offloading but I was under the impression that there will be no checksum in this instance because Wireshark captures the frame before the checksum is actually computed.
"No checksum" doesn't necessarily mean "checksum field is zero" - it might be that, when transmitting packets on an interface that does checksumming of outgoing IP/TCP or IP/UDP packets, the networking stack not only doesn't bother generating a checksum, it doesn't even bother zeroing out the checksum fields, leaving whatever junk was there in memory.
@Guy Harris that could be the case. It would be great if someone could confirm.
@vsharker The statistics I wrote about in my answer was regarding packets that ALL have "Incorrect checkum" warning. Just different type of wrong checksum (TCP/UDP/IP). Sorry, I wasn't clear enough. I corrected the answer.
For sure the receiver doesn't consider these checksums invalid because they get overwritten by NIC with another correct ones so it doesn't matter whether you have large volume of them.
Asked: 2018-11-23 19:10:44 +0000
Seen: 497 times
Last updated: Nov 24 '18
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
