Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Intermittent connection loss

From: "Ian Schorr" <ian.schorr@xxxxxxxxx>
Date: Tue, 7 Oct 2008 13:35:28 +1000
TCP checksum errors, if valid, are often the result of a hardware error of some kind, but really could be anything.  Usually it means that something has managed to corrupt the packet, but the corruption wasn't caught (or didn't occur) at a lower level, like Ethernet.

However, my guess is that they're false positives.  Do you only see the errors on frames that are transmitted (not received) by the host you ran the capture on?  Do you see the TCP segment retransmitted (Wireshark should flag it if you have TCP seq number analysis enabled)?  If the answer to the first is yet, and no to the second, then it's probably a bogus symptom.

Nowadays most NICs support TCP checksum calculation.  When it's transmitting a TCP packet, the OS hands the NIC the packet, the NIC calculates the TCP checksum and stuffs it in the packet, then transmits it.  Unfortunately, Wireshark/pcap capture the packets BEFORE they're sent to the NIC, and before the TCP checksum is calculated.  So what's in the capture is usually either zeros, or some random data (it's uninitialized memory...It's just garbage and will be overwritten by the NIC once it calculates checksum).  If you're running a newish version of Wireshark, you'll notice that it says "may be caused by 'TCP checksum offload'?" next to the "Checksum incorrect" message...It's suggesting the same thing I am.

What do you mean by "losing connection to their default gateway"?  They can't forward packets through it?  They can't ping it?

Ian

On Tue, Oct 7, 2008 at 2:29 AM, Malhoit, Lauren <Lauren.Malhoit@xxxxxxxxxxxxx> wrote:

We have a site that appears to be losing their connection to their default gateway (which is actually a cisco asa 5500).  They receive DHCP IPs from the firewall.  It happens about a couple of times every day.  I started running wireshark on one of the servers and I'm getting the bad tcp/checksum error quite a few times, usually involving the same destination (a client computer).  I'm not really sure what that means, though.  Should I check that computer for virus' or spyware.  It should have McAfee on it, though and it is currently on the network, so it would be updated (as long as everything is running correctly).  What do all the bad tcp packets imply?  What else should I be on the lookout for?  Thanks in advance for any help!

 

Lauren



Lauren Malhoit

IT Systems/Network Administrator

 

Tyler Technologies, Inc.
3199 Klepinger Road
Dayton, Ohio 45406
Phone:  1-800-800-2581 x1863

Cell: 419-349-3283
Fax:  937-278-3711

E-mail: Lauren.Malhoit@xxxxxxxxxxxxx
Web:  www.tylertech.com


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users