Differences between revisions 11 and 13 (spanning 2 versions)
Revision 11 as of 2006-06-13 19:33:33
Size: 1949
Editor: GuyHarris
Comment: Small edit from the Ethereal Wiki, plus another small edit.
Revision 13 as of 2008-04-12 17:51:24
Size: 1951
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
By default and whenever possible Wireshark will verify whether the ["TCP"] checksum of a packet will be correct or not.
TCP packets that have invalid checksums will be marked as such with a warning in the information column in the summary pane and also, most important, if the checksum is BAD that tells wireshark that the packet is corrupted and it will NOT be included in any ["TCP Reassembly"].
I.e. these packets will be ignored by the ["TCP Reassembly"] engine and reassembly will not work.
By default and whenever possible Wireshark will verify whether the [[TCP]] checksum of a packet will be correct or not.
TCP packets that have invalid checksums will be marked as such with a warning in the information column in the summary pane and also, most important, if the checksum is BAD that tells wireshark that the packet is corrupted and it will NOT be included in any [[TCP_Reassembly]].
I.e. these packets will be ignored by the [[TCP_Reassembly]] engine and reassembly will not work.
Line 12: Line 12:
=== TCP checksum offloading (lot's of checksum errors) === === TCP checksum offloading (lots of checksum errors) ===
Line 14: Line 14:
There are causes where you might see lot's of checksum errors. There are causes where you might see lots of checksum errors.
Line 16: Line 16:
If you capture on a recent Ethernet ["NIC"], you may see many such "checksum errors". This is due to TCP Checksum offloading often being implemented on those ["NIC"]s and thus, for packets being '''transmitted''' by the machine. The checksum will not be calculated until the packet is sent out by the ["NIC"] hardware, long long after your capture tool intercepted the packet from the network stack. If you capture on a recent Ethernet [[NIC]], you may see many such "checksum errors". This is due to TCP Checksum offloading often being implemented on those [[NIC]]s and thus, for packets being '''transmitted''' by the machine. The checksum will not be calculated until the packet is sent out by the [[NIC]] hardware, long long after your capture tool intercepted the packet from the network stack.
Line 22: Line 22:
attachment:tcpchecksumchecking.jpg {{attachment:tcpchecksumchecking.jpg}}

TCP Checksum Verification

By default and whenever possible Wireshark will verify whether the TCP checksum of a packet will be correct or not. TCP packets that have invalid checksums will be marked as such with a warning in the information column in the summary pane and also, most important, if the checksum is BAD that tells wireshark that the packet is corrupted and it will NOT be included in any TCP_Reassembly. I.e. these packets will be ignored by the TCP_Reassembly engine and reassembly will not work.

The TCP checksum will only be tested for packets that have been fully captured, and thus for short packets, the checksum will not be verified. But then again, short packets will be ignored by the desegmentation engine anyway.

It should be VERY VERY rare to see corrupted packets in today's networks unless you have a router or a switch with a bad RAM module with a sticky bit. Still, it should be VERY rare to see this for packets that actually are corrupted.

TCP checksum offloading (lots of checksum errors)

There are causes where you might see lots of checksum errors.

If you capture on a recent Ethernet NIC, you may see many such "checksum errors". This is due to TCP Checksum offloading often being implemented on those NICs and thus, for packets being transmitted by the machine. The checksum will not be calculated until the packet is sent out by the NIC hardware, long long after your capture tool intercepted the packet from the network stack.

As this may be confusing and will prevent Wireshark from reassemble TCP segments it's a good idea to switch checksum verification off in these cases.

To disable checking of the TCP checksum validity, go to the TCP preferences and untick the box for checksum verification

tcpchecksumchecking.jpg

Preference String

Check the validity of the TCP checksum when possible.

TCP_Checksum_Verification (last edited 2008-04-12 17:51:24 by localhost)