Wireshark-users: Re: [Wireshark-users] TCP Checksum issues...

From: "Jim Young" <SYSJHY@xxxxxxxxxxxxxxx>
Date: Wed, 12 Dec 2007 14:51:43 -0500
Hello Richard,

>>> "Richard Whittaker" <RWHITTAKER@xxxxxxxx> 12/12/07 12:57 PM >>>
> We've done a couple of rounds of network captures 
> of serveral workstations, and have run into some 
> significant "oddness"... 
>
> In the first round of captures, on 6 of the 8 workstations 
> there were in excess of 50% of all packets tagged 
> at "TCP CHECKSUM INCORRECT"... 
> 
> Did some research, found the option to disable TCP 
> checksumming, and re-ran the captures... We're getting 
> the same results on the same workstations... Is this a 
> badly configured network/workstation/driver?... 

I assume that you are sniffer ON the machines?

If so, were those "50% of all packets" the packets that 
originated on the station  that you were running the
sniff on?    Then the problem is MOST definitely is 
checksum offloading, the OS is leaving up to the 
NIC card to do the calculation and Wireshark only 
gets to see the egress frames BEFORE the TCP 
checksum has been calculated.

Where did you try to "disable TCP checksumming" within
the driver for the NIC card to force the OS to do the 
TCP checksumming?  Or within Wireshark where you can 
enable/disable  the TCP Preference "Validate the TCP 
checksum if possible".  If you disabled this preference
within Wireshark I would think that you shouldn't 
see any checksum incorrect messages.

If you are sniffing both hosts on either sides of a TCP 
session you MAY see that the ingress frames from the
peer node have CORRECT TCP checksums.  This is a 
dead giveaway that TCP checksumming is involved.

Hope this helps,

Jim Y.