Hello Richard,
>>> "Richard Whittaker" <RWHITTAKER@xxxxxxxx> 12/12/07 12:57 PM >>>
> We've done a couple of rounds of network captures
> of serveral workstations, and have run into some
> significant "oddness"...
>
> In the first round of captures, on 6 of the 8 workstations
> there were in excess of 50% of all packets tagged
> at "TCP CHECKSUM INCORRECT"...
>
> Did some research, found the option to disable TCP
> checksumming, and re-ran the captures... We're getting
> the same results on the same workstations... Is this a
> badly configured network/workstation/driver?...
I assume that you are sniffer ON the machines?
If so, were those "50% of all packets" the packets that
originated on the station that you were running the
sniff on? Then the problem is MOST definitely is
checksum offloading, the OS is leaving up to the
NIC card to do the calculation and Wireshark only
gets to see the egress frames BEFORE the TCP
checksum has been calculated.
Where did you try to "disable TCP checksumming" within
the driver for the NIC card to force the OS to do the
TCP checksumming? Or within Wireshark where you can
enable/disable the TCP Preference "Validate the TCP
checksum if possible". If you disabled this preference
within Wireshark I would think that you shouldn't
see any checksum incorrect messages.
If you are sniffing both hosts on either sides of a TCP
session you MAY see that the ingress frames from the
peer node have CORRECT TCP checksums. This is a
dead giveaway that TCP checksumming is involved.
Hope this helps,
Jim Y.