Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] TCP checksum off-by-one errors?

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Matthias Pigulla" <mp@xxxxxxxxxxxxx>
Date: Thu, 5 Mar 2009 17:24:39 +0100

Hi all,

we noticed that all the packets that come in with the wrong checksum
have a size of 1420 bytes. A MSS of 1380 is exchanged during the TCP
handshake.

This was due to a setting on the CISCO firewall called "force maximum
segment size for TCP proxy connections" with a value of 1380.

We disabled this and that seems to fix the problem as now the MSS is
1460. 

What we still don't understand is the connection between setting the MSS
to a value lower than necessary and getting checksum errors on returning
packets. The same symptoms (wrong checksums with 1420 byte packets) are
mentioned here:
http://archives.neohapsis.com/archives/postfix/2006-09/0317.html
http://archives.neohapsis.com/archives/postfix/2006-09/0340.html

Explanations welcome :)

Matthias
  • References:
    • Re: [Wireshark-users] TCP checksum off-by-one errors?
      • From: netztier@xxxxxxxxxx
    • Re: [Wireshark-users] TCP checksum off-by-one errors?
      • From: Matthias Pigulla
  • Prev by Date: [Wireshark-users] Fwd: Wireshark file format
  • Next by Date: Re: [Wireshark-users] Wireshark file format
  • Previous by thread: Re: [Wireshark-users] TCP checksum off-by-one errors?
  • Next by thread: [Wireshark-users] Reading multiple files in tcpdump
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation