This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Header checksum Error even when Disabling checksum validation in Wireshark

0

Hi all ,

i need your help please , i sniffed my packets and saw many error evrey seconds , i read about it and saw it excaly match the problem with checksum validation in Wireshark. i turn it off and still it doesn't go away , i still see all Red packets in my network. any Suggestions?

asked 03 Mar '13, 22:46

Alon%20Fox's gravatar image

Alon Fox
5125
accept rate: 0%

One Answer:

1

Red packets matched a specific coloring rule and so were colored that way. To find out which coloring rule a particular packet matched, you can expand the Frame in the packet details and look for the name and rule string. For example:

[-] Frame 6: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
      Encapsulation type: Ethernet (1)
      ...
      [Protocols in frame: eth:ip:tcp]
      [Coloring Rule Name: Bad TCP]
      [Coloring Rule String: tcp.analysis.flags]

answered 03 Mar '13, 23:16

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

HI , I have diffrent types of error when i sniffed .the most common is the third ,and the checksum error come from my nic ,but the checksum validation in Wireshark is not enabled .

First:

[Protocols in frame: eth:ip:tcp]
      [Coloring Rule Name: Bad TCP]
      [Coloring Rule String: tcp.analysis.flags]

Second:

[Protocols in frame: eth:ip:tcp:http:data]
      [Coloring Rule Name: Bad TCP]
      [Coloring Rule String: tcp.analysis.flags]

third:

[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: checksum Errors]
Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || mstp.checksum_bad==1
(03 Mar '13, 23:59) Alon Fox

As you can see, the same coloring rule is applied for multiple cases of checksum errors. Since the packet contains both IP and TCP data, it's likely that you only disabled IP checksum validation or TCP checksum validation, but not both.

(04 Mar '13, 05:56) cmaynard ♦♦