Tuesday, November 25, 2008

Wireshark complaints of "bad tcp checksum" on local captures

When using Wireshark to look at network transfers across the localhost interface, you get big "TCP checksum incorrect" messages, and red/black packets in the graphical display. It looks like this comes up because Linux doesn't calculate or check the checksum on localhost packets, which I suppose makes sense as there's no chance of corruption in transit. (Aside from memory errors or bugs, but there's no particular point checking for them just at the time the packet's queued.)

This can be ignored in wireshark by unchecking "Preferences|Protocols|TCP|Validate the TCP checksum if possible".

2 comments:

Andrew Pollock said...

You also see that for non-local captures when the local NIC supports doing the checksums in hardware. Linux doesn't bother calculating the checksum and lets the NIC do it. Wireshark gets most unhappy.

Seth Schoen said...

I have some discussion of this and a couple of related issues in

http://www.eff.org/wp/detecting-packet-injection

It's really a challenge when you're trying to run packet sniffers in multiple places on the Internet and compare individual packets byte-for-byte. There is some information on how to ask Linux and other systems to disable these features (which might make your network performance worse, but should make your packet captures better reflect what your machine is actually transmitting).