4

I have a JAX-RS web service which is secured via TLS. Hence encryption is very important I decided to check the network traffic with RawCap and analyze it with WireShark. Doing this, I stumbled over the following message:

Header checksum: 0x0000 [incorrect, should be 0xac15 (may be caused by "IP checksum offload"?)]
  1. What is the reason for this message?
  2. Are there any further consequences?

I'm pretty sure that it isn't a problem with my RESTEasy client, because retrieving a ressource via FireFox causes the same message.

My-Name-Is
  • 4,814
  • 10
  • 44
  • 84

3 Answers3

9

This doesn't come from your application - it is caused by the TCP/IP stack. Many implementations do not (or not always) fill in the header checksum, leaving it a 0x0000.

As Wireshark indicated, one reason for this is, that some combinations of OS and NIC driver make the OS think, that the checksum will be filled in by the NIC (hardware-accelerated), but in fact it will be not.

This is not a real problem, as long as your transmission path is reliable. AFAIK it is not a security risk.

Eugen Rieck
  • 64,175
  • 10
  • 70
  • 92
  • @Eugene Are you saying IP packets with checksum 0x0000 are deliverable/acceptable? – djf May 29 '13 at 13:27
  • 2
    Sure they will! Some OSes can be set to reject them, but this is quite an exotic setting. 0x0000 is completely legal and means "No checksum calculated" – Eugen Rieck May 29 '13 at 13:29
  • 2
    @djf I stand corrected! I just looked this up, and the "0x0000 == not calculated" is ONLY valiud for UDP, not for TCP. SOrry for that. – Eugen Rieck May 29 '13 at 13:32
  • @Eugene Thx for double checking. – djf May 29 '13 at 13:38
  • @EugenRieck I know it's been a long time, but, where did you get that info from? I'm having troubles with windows issuing IP checksums == 0 and I want to make sure this is expected behavior. Thanks – debuti Dec 17 '21 at 09:19
  • @debuti Experience. – Eugen Rieck Dec 17 '21 at 09:48
1

Was this an outgoing packet?

As the error message suggests, IP checksum offload is enabled. This means that the computer’s TCP/IP stack does not calculate the checksum. Instead the NIC hardware does the calculation before sending the packet out.

This is not a real error. You can safely ignore it.

djf
  • 6,592
  • 6
  • 44
  • 62
0

in this case, the checksum field has been ignored with no consequences. However, the checksum field in general in intended to verify integrity of a packet. An incorrect checksum generally indicates errors (possibly EMI) or loss of integrity and may indicate a compromise.

user3482192
  • 1