This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Checksum errors on Windows

0

I have a checksum problem on my computer and I know this because I can see it using wireshark. The problem is it only happens when I use Win7 or Vista Business and not with XP pro. I have caputure files and would like for someone to look at them. At first I thought it was my nic and still not sure that its not the nic driver or something related to IPv6. Anyway is there someway to upload files so that anyone can look at them? Am I not seeing a button? thank, Morris the Pat

asked 15 Sep '10, 13:02

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%

edited 15 Sep '10, 15:41

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258

@mrpatmorris - Can you stop adding "answers" that don't answer your question? This isn't a web forum in the traditional sense.

(17 Sep '10, 08:35) Gerald Combs ♦♦

Sowwy dude, didnt mean to ruffle your panties. Im an electronics geek. As far as this site gos, I never said I knew anything about "IT" including the rules of engagement for answering comments. They should have made the ADD NEW COMMENT button a little LARGER. Im kinda dyslexic and tend to read paragraphs at a time and not lines. Also, relax man, take a pill cause lifes to short. I have some nice little red ones for anxiety and will ship them free of charge. Just let me know, 10-4 good buddy?

(17 Sep '10, 12:09) mrpatmorris

Pat, we're all new to this kind of website and are all learning the ropes. We're gently trying to help others move in the same direction, so please relax... but don't take too many of the little red ones :-)

(18 Sep '10, 00:37) SYN-bit ♦♦

No worries gerald, I got it now. The minute I got your email, I saw the ADD NEW COMMENT button. I swear that I am dyslexic. The other day going through a really nice section of town, I saw a sign that said "We buy Horses" I thought how odd that someone would put a sign about horses in such a nice neighborhood. Three days later, someone changed the sign to read, "We buy Houses" ;-)

(19 Sep '10, 23:06) mrpatmorris

13 Answers:

12next »

3

It sounds like classic checksum offloading to me. I assume those packets are showing up with a black background and red foreground in Wireshark. Let's try this... select View > Coloring Rules, then select Checksum Errors and click Disable. Now... are you seeing any other traffic with the black background/red foreground? Select Analyze > Expert Info Composite. Do you have anything under the Warnings, Notes or Errors section?

If you are not seeing retransmissions, then your outbound packets were in good shape when they arrived at the target - the checksum just wasn't calculated yet when Wireshark picked up the packet.

Checksum offloading is not an error - it's a feature <g -="" heard="" that="" before?=""> - seriously though - it just takes the processing requirements away from the stack and puts it on the NIC. Loads of systems ship with checksum offloading enabled.

answered 15 Sep '10, 19:01

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

1

Could this be related to "network offloading" ?

"

answered 15 Sep '10, 13:09

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 15 Sep '10, 13:15

1

Hello Morris,

it's a little bit unclear to me where you've captured the data. Normaly I would agree to Bill that if you've done the trace on the host itself, it might that the OS/Driver uses a feature which is called checksum offloading. If you've done the trace on a mirror or span port of a switch, than I agree, you shouldn't see the checksum errors. In regards to the Ip address you've mentioned it looks that you use private IPs which are natted on the router to your provider. It's quit normal that you also get traffic back, espacially if you use TCP as mentioned. So you'll see also packets flowing in your direction, so your IP is the destination. If I got something wrong, upload a trace and I can have a look to it. May this clarifies things.

regards Oliver

answered 15 Sep '10, 14:50

Oliver's gravatar image

Oliver
91116
accept rate: 0%

1

I would bet that the NIC is fine and also the driver. The problem what I was thinking about is, that the OS is preparing the outgoing packet/frame. But it leaves the computing intensive thing (calculating the checksum) for the NIC. This is called checksum offloading. Since Wireshark can't capture the packet anymore while it is already pushed to the NIC you have most likely a wrong checksum (random memory values). To verify if you really have a problem, start a trace surf to a page, e.g. www.google.com, than stop the trace. If you see than in the Wireshark main window persistant restransmissions, you may have a problem with your NIC/Driver or your connection to the Internet is bad. If you don't see retransmissions, your NIC does checksum offloading. On some cards you can disable this is under the driver settings, if you really want to get rid of the errors which are most likely no errors. If you can't analyse the trace, upload it somewhere and I'll have a look.

regards Oliver

answered 15 Sep '10, 15:35

Oliver's gravatar image

Oliver
91116
accept rate: 0%

0

P.S. I have a quad boot system and each op sys is on a separate drive, those being XP pro, Vista Business, Win 7, and Unbuntu respectively. I have a 3.2 GHZ AMD Quad Core processor and had it not been for WIRESHARK, I might not have ever noticed there was a problem because the processor rocks and isn’t easily dragged down. I do know the following: 1.) When I am streaming music about 50% of my TCP/IP has bad checksums 2.) The issues I with my computer (WIRESHARK lists my natted IP 192.168.xxx.xxx as the source) and not the destination. 3.) Only happens with Win7 and Vista Business 4.) Eliminated the Nic, network router, and ISP router. 5.) I have too much money in this system to buy a bigger Hammer Thanks in advance...

answered 15 Sep '10, 13:15

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%

0

I’m pulling data from my nic on my MB and all the errors are from me and outgoing. I’m not a programmer. I do have an A+ Cert, a CCNA, and a BS in electronics. I have been building systems since 1980 but have only recently starting looking at network signals. I had thought of placing a switch in line at various points and redirecting the data but didnt have the hardware. So, by the process of elimination, I know my computer is the source of the problem and I think it starts at level three or level four. I uninstalled IPv6, I disabled the IP helper service and also disabled the DHCP Broadcast Flag. I also disabled, uninstalled and downloaded latest driver for the nic but since it works with XP, I know the nic and driver are good. I did question the large send offload in the nic properties. It is enabled for IPv4 and version 2 is enabled for IPv6. I’m a resistor and capacitor kind of guy and although I have programmed processors in hex with some pascal/fortran/C on the side. I'm at a loss here with limited real world and seeing network signals. Sync and acknowledge is about the extent of my experience. All your help is greatly appreciated. Thanks in advance and I am making efforts to check what I have been told thus far. Thanks again….

answered 15 Sep '10, 15:19

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%

0

Oliver, I have some news. I first went to the device manager, nic card properties, and then the advanced settings. There I turned the offloading off for IPv4 and IPv6. WireShark didn’t like when I turned off IPv4 offloading and shut down but I just restarted WireShark and all was good. Once WireShark was up again, I saw the exact same problem with no change what so ever. At that point, I turned both of those back on. I was streaming music at this point. Next, I did exactly what you said. I first shut down all windows and let the system settle down. After a couple of minutes, I started WireShark and observed the system until I was sure it was stable with no errors also it had no errors at this point. Then I opened IEv8 in Win7 and went to my homepage (yahoo.com) and the errors started just as usual. Then very quickly, I closed IE (yahoo.com) and the errors stopped within a couple of seconds. I then reopened IE to yahoo.com and instantly the checksum errors started in the outbound lane. Then again, I shut IE down and the errors stopped in wireshark. I think that’s what you asked me to do and I guess the results confirm your suspicion. Is that correct? And if so, does that mean that I do not have a problem? Thanks again....

answered 15 Sep '10, 17:04

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%

0

One last thing that may or may not be important. In XP, Im still using IEv6 whereas in Vista and Wn7 its IEv8. ;)

answered 15 Sep '10, 17:11

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%

0

Can you provide me the trace? I can have a look into it. But, yes it sounds like you don't have a problem.

regards Oliver

answered 16 Sep '10, 00:14

Oliver's gravatar image

Oliver
91116
accept rate: 0%

0

If you could email me [email protected] I will send it.

answered 16 Sep '10, 19:18

mrpatmorris's gravatar image

mrpatmorris
1111
accept rate: 0%