This is our old Q&A Site. Please post any new questions and answers at

Any ideas on what is causing all these header checksum errors... A few times a day users intermittently lose network connections to the exchange server or the internet. Upon opening IE I start to see checksum errors like the following and they stop when closing IE...

Header checksum: 0x0000 [incorrect, should be 0x54ad (maybe caused by "IP checksum offload"?)]

This is a sample of the packet traffic that get the checksum error:

20  4.223408 DNS 76  Standard query A
87  17.876965 DNS 73  Standard query A
91  17.892743  TCP 66  50355 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
93  17.893526  TCP 54  50355 > http [ACK] Seq=1 Ack=1 Win=65700 Len=0
126 20.883091  TCP 54  50356 > http [ACK] Seq=1 Ack=1 Win=65700 Len=0
127 20.883608  HTTP    297 GET / HTTP/1.1 
2811    41.858393  TCP 54  50455 > http [RST, ACK] Seq=407 Ack=1 Win=0 Len=0
2812    41.858718   TCP 54  50452 > http [RST, ACK] Seq=427 Ack=1 Win=0 Len=0
3426    49.442890  TCP 54  50422 > http [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3427    49.550803 TCP 54  50388 > http [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Thanks, Dave

asked 05 Jun '12, 13:08

Dave's gravatar image

accept rate: 0%

edited 05 Jun '12, 13:19

grahamb's gravatar image

grahamb ♦

As the error message suggests, IP checksum offload is enabled. This means that the computer’s TCP/IP stack does not calculate the checksum. Instead, it passes the packet to the NIC and the NIC driver calculates the checksum and adds it to the packet before the packet is transmitted on the wire. Wireshark sees the packet before the checksum has been added. When the packet is transmitted on the wire, the checksum is correct.

One clue that checksum offload is involved is that the packets with the errors don’t get retransmitted. If the checksum really was wrong, either the packets would be retransmitted, or the communication would fail.

This can be considered a cosmetic error. You can ignore it, or you can make it go away by turning off checksum offloading in the NIC properties, or disabling IP checksum validation in Wireshark’s properties.

To see the actual transmitted packet with the correct checksum, capture the traffic from a third PC that is not involved in the communication using a hub or a port mirroring switch, instead of capturing on one of the end points.

permanent link

answered 05 Jun '12, 13:22

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%

edited 05 Jun '12, 16:19

cmaynard's gravatar image

cmaynard ♦♦

The clue is in the error message: [maybe caused by "IP checksum offload"?)].

Your NIC (or NIC driver) is calculating IP checksums so the stack doesn't bother, and at the point that the capture mechanism gets hold of the packet the checksum is garbage.

You should see that the errors are only reported for outgoing packets from your machine, incoming packets will have the correct checksum.

You can remove the errors by checking the "Support packet-capture from IP TSO-enabled hardware" option in the IP dissectors preferences.

If there were actual errors in the checksums it's extremely unlikely that you would see the packets when capturing on a regular NIC as the packets would be discarded.

permanent link

answered 05 Jun '12, 13:27

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 05 Jun '12, 13:08

question was seen: 32,523 times

last updated: 05 Jun '12, 16:19

p​o​w​e​r​e​d by O​S​Q​A