blog.bumpinthe.net/2016/05/18/bad-checksum-in-packet-captures/
Bad Checksum in Packet Captures
I was working with a carrier to identity some SIP trunk issues recently, and they requested a packet capture of the traffic leaving our Mediation servers. I sent the capture over, and they quickly …
blog.bumpinthe.net
Bad Checksum in Packet Captures
Posted on May 18, 2016
I was working with a carrier to identity some SIP trunk issues recently, and they requested a packet capture of the traffic leaving our Mediation servers. I sent the capture over, and they quickly came back with a question: Why are all of the packets marked as “Bad Checksum” in NetMon.
As it turns out, this isn’t anywhere near the disaster that the carrier thought it was. If we open the same capture in Wireshark, we can see that Checksum validation is disabled.
This is expected when you are running your packet capture on a host that is generating or receiving the traffic you’re interested in (versus setting up a span port on a switch and mirroring traffic to a dedication packet capture machine). The reason? The packet capture takes place within the network driver stack, while checksums are almost always offloaded to hardware. For outgoing traffic, the packet is captured before the checksum is calculated, and there is no valid checksum available to include in the packet capture.
Here’s handy diagram courtesy of that shows the network stack and where the Packet Capture and Checksum take place. (Red arrows and boxes)
First with Offloading:
Packet capture with Offloading
And now without Offloading:
Packet capture without Offloading
If you’re not capturing packets to detect and correct malformed packets, this shouldn’t be of concern to you. If you need checksums, you have two options. One is to select your network adaptor, choose Properties, and on the Advanced tab, find all of the “Checksum Offload” properties and set them to Disabled (don’t do this). The other use a span port on a switch to mirror traffic to a dedicated capture PC (do this instead). Setting Checksum Offload to disable means you will take a performance hit, as you are no longer using the hardware on the NIC to perform these calculations. If you absolutely cannot do a span port, disable Checksum Offload with caution and be sure to re-enable it immediately after you’re done.
Happy packet capturing!
'네트워크 > 네트워크 공통' 카테고리의 다른 글
| [스크랩] 커버로스 (Kerberos) (0) | 2021.04.23 |
|---|---|
| 윈도우 서버 환경에서, 최대 생성 가능한 소켓(socket) 연결 수는 얼마일까? (0) | 2020.07.01 |
| 서브넷팅 계산 방법 (0) | 2020.05.15 |
| 서브넷 (subnet) (0) | 2020.05.14 |
| 네트워크 클래스 (network class) (0) | 2020.05.14 |