0

According to The Wireshark FAQ TCP checksum offloading causes checksums for outbound traffic to be calculated incorrectly. On some Linux hosts I see some inbound TCP traffic that is flagged with incorrect checksums:

$ sudo tcpdump -n -vvv dst 10.10.2.20 | grep incorrect
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10.10.2.3.nfs > 10.10.2.20.884: Flags [P.], cksum 0x83fc (incorrect -> 0x2825), seq 3552641460:3552662384, ack 2706746316, win 32806, options [nop,nop,TS val 34524903 ecr 341853002], length 20924 
10.10.2.9.ssh > 10.10.2.20.42037: Flags [P.], cksum 0xf39f (incorrect -> 0x2fe6), seq 5174:6902, ack 3086, win 204, options [nop,nop,TS val 263217396 ecr 341868329], length 1728

Where 10.10.2.20 is the external interface on this system.

What conditions can account for incorrect inbound TCP checksums?

eradman
  • 150
  • 4
  • 1
    I think this FAQ entry is a bit misleading. There is also checksum offloading for RX packets. Depending on you NIC the original checksum/packet may be altered, so wireshark reports a false positive. You can try and disable all checksum offloading:http://wiki.wireshark.org/CaptureSetup/Offloading – r_3 Jan 23 '15 at 17:44
  • If the comment was correct, maybe you could answer your own question. – r_3 Jan 26 '15 at 13:27
  • "may be altered" is not an explanation. Understanding network activity has become increasingly difficult and it seems that many network admins have simply given up. – eradman Jan 27 '15 at 16:15
  • Can you please check if tx offloading is activated for you NIC using `ethtool --show-offload eth0 | grep tx-checksumming`. If it's on, that is the cause of the false positives. – r_3 Jan 27 '15 at 18:11

0 Answers0