This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Still getting header checksum errors after disabling

0

I understand why I was getting so many header checksum errors so I went to Edit > Preferences > Protocols and chose IPv4 as well as TCP and deselected 'Validate the IPv4 checksum if possible'

I'm still getting lots of header checksum errors, however. I would think they would be taken care of by making those setting changes.

Anyone have any ideas?

Regards, Joe

asked 24 Jul '12, 08:45

JoeyJoeJoe1970's gravatar image

JoeyJoeJoe1970
1222
accept rate: 0%


2 Answers:

0

Are they by any chance UDP packets? You might want to disable checksum checking in the UDP protocol preferences too...

answered 24 Jul '12, 09:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Nope. Checksum validation was turned off for IPv4, TCP and UDP.

The error I see is 'Header checksum: 0x000 [incorrect, should be 0xf9dc (maybe caused by "IP checksum offload"?)].

It's not for every packet but definitely every third one or so.

(24 Jul '12, 09:23) JoeyJoeJoe1970

Incoming or outgoing packets?

(24 Jul '12, 09:29) grahamb ♦

0

Nope. Checksum validation was turned off for IPv4, TCP and UDP. The error I see is 'Header checksum: 0x000 [incorrect, should be 0xf9dc (maybe caused by "IP checksum offload"?)].

sounds like IP checksum checking is not disabled, although you say so.

The code in epan/dissectors/packet-ip.c (Wireshark 1.8.0) will only print that specific error message, if the IP preference "Validate the IPv4 checksum if possible" is set (Default: yes/true).

http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-ip.c

What is the output of the following command?

windows: tshark -G currentprefs | find "ip.check"
unix: tshark -G currentprefs | grep -i "ip.check"

What is your Wireshark version?

Regards
Kurt

answered 24 Jul '12, 11:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 Jul '12, 12:27

command: tshark -G currentprefs | find "ip.check" results: ip.check_checksum: FALSE

Version 1.8.1 (SVN Rev 43946 from /trunk-1.8)

Puzzling

(24 Jul '12, 12:27) JoeyJoeJoe1970

Puzzling

yep. Can you please post a screenshot (and possibly a sample capture file)?

(24 Jul '12, 12:28) Kurt Knochner ♦

I just tested with 1.8.1 on Windows 7 (32 Bit) and it works as expected. I modified the IP checksum with a HEX editor.

IP checksum checking: OFF

Header checksum: 0x0000 [validation disabled]

IP checksum checking: ON

Header checksum: 0x0000 [incorrect, should be 0x267a (may be caused by "IP checksum offload"?)]

If you run it on Windows as well, I recommend to uninstall Wireshark (delete preferences - ONLY if you don't need them) and then reinstall.

(24 Jul '12, 12:41) Kurt Knochner ♦