We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] Questions about BAD Checksum on RHEL5

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Tue, 17 Apr 2007 15:56:52 +0100
Sync ma wrote:
> Hi, all.
>     I have captured some packets on RHEL5, and almost every packet sent
> by this host has a
> bad checksum hint in wireshark(0.99.5), TCP(SSH) UDP(SIP, RTP, other
> private udp
> protocols). Is there any problem with my linux kernel? or wireshark has
> any bug with checksum
> validating?  Attachment is my pcap file which only has SSH packets in.

>From the FAQ (http://www.wireshark.org/faq.html#q11.1):

Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?

A: If the packets that have incorrect TCP checksums are all being sent
by the machine on which Wireshark is running, this is probably because
the network interface on which you're capturing does TCP checksum
offloading. That means that the TCP checksum is added to the packet by
the network interface, not by the OS's TCP/IP stack; when capturing on
an interface, packets being sent by the host on which you're capturing
are directly handed to the capture interface by the OS, which means that
they are handed to the capture interface without a TCP checksum being
added to them.

The only way to prevent this from happening would be to disable TCP
checksum offloading, but

   1. that might not even be possible on some OSes;
   2. that could reduce networking performance significantly.

However, you can disable the check that Wireshark does of the TCP
checksum, so that it won't report any packets as having TCP checksum
errors, and so that it won't refuse to do TCP reassembly due to a packet
having an incorrect TCP checksum. That can be set as an Wireshark
preference by selecting "Preferences" from the "Edit" menu, opening up
the "Protocols" list in the left-hand pane of the "Preferences" dialog
box, selecting "TCP", from that list, turning off the "Check the
validity of the TCP checksum when possible" option, clicking "Save" if
you want to save that setting in your preference file, and clicking "OK".

It can also be set on the Wireshark or TShark command line with a -o
tcp.check_checksum:false command-line flag, or manually set in your
preferences file by adding a tcp.check_checksum:false line.


Graham Bloice