1

A tcpdump pcap exported and being investigated on another machine with wireshark is showing a lot of invalid TCP checksum messages. This is a known and documented phenomenon when using TCP offload functionality: https://wiki.wireshark.org/TCP_Checksum_Verification

The only thing that is unclear is why the checksum is incorrect?

TCP checksums are calculated over the entire TCP segment with the help of a pseudo header and using the temporary checksum value of all zeros durring the process of checksum calculation (http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm#Figure_218). The pseaudoheader is then discarded. Where does the difference creep in?

Mindaugas Bernatavičius
  • 344

2 Answers2

7

Because, the checksum is being calculated by the NIC, and not by the operating system.

The wiki page you linked to did explain this:

If you capture on a recent Ethernet NIC, you may see many such "checksum errors". This is due to TCP Checksum offloading often being implemented on those NICs and thus, for packets being transmitted by the machine. The checksum will not be calculated until the packet is sent out by the NIC hardware, long long after your capture tool intercepted the packet from the network stack.

Michael Hampton
  • 252,907
5

A TCP segment is located in computer RAM. It contains all the fields required for the TCP segment.

When TCP checksum offload is used, this is what happens when transmitting a segment:

The OS fills out every field in the TCP segment in the memory, EXCEPT for the checksum. The checksum field is not computed by the OS, it contains whatever data there was before in that memory location.

Now, packet capture tools like Wireshark capture the contents of this memory location, which contains a TCP segment without a computed checksum.

When the OS sends the segment to the NIC, the NIC hardware then performs the checksum computation, and puts the computed checksum to the particular TCP segment field. This checksum is never seen by the OS or capture tool.

This is the reason why Wireshark reports those errors.

Tero Kilkanen
  • 38,887