This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Please excuse the newbie nature of my post. I have spent a few weeks trying to "Learn my way" into understanding my issue. But I could use a little mentoring here.

I am the "Tech guy" at a small operation. Whenever anyone tries to grab a a larger web page ( Or requests a series of pages in tabs) the network slows to a halt for everyone. We can send thru small requests: no problem. But we can't request a number of complex pages. (We get the index.html page back: but once the included CSS, js, google analytic, Olark etc are asked for. Then they just just stop)

What I have noticed when this "stop" happens is that the entire network is flooded with TCP packed with a bad Checksum.

When I examine them a number of packets have a checksum of 0X00.

My neighbors are seeing the same checksum problems on their networks.

Im pointing the finger at my ISP, But they simply come out an do a speed test (UDP!) and declare things to just be fine.

What can I do to help my poorly trained ISP techs to solve my issue? WHat am i missing/ Am I barking up the wrong tree?

asked 23 Sep '13, 09:15

jvmx_tx's gravatar image

jvmx_tx
1112
accept rate: 0%


With that many CRC errors it is most likely that your procedure of capturing packets is faulty. Where do you capture the packets? If you capture them on the host sending and receiving them (kind of a "piggy backed capture") by installing Wireshark on every single system you test, you will see lots and lots of strange things like bad checksums. What is happening is that you're picking up packets that are not completely finalized before sending them out - the fact that you mention them to have a checksum of 0x00 is a typical sign here. Today's network cards do a lot of work on the packet (like calculating checksums, or segmenting the data into the correct packet sizes), which will not yet have taken place when you pick them up with Wireshark.

You should try to do a capture on a SPAN port (see the Wiki), which should show you no CRC errors because you'll pick up finalized packets at that location.

Also, try to use the I/O graph in the statistics menu to see if your bandwidth touches the maximum of whatever line speed you have bought from your ISP (don't forget to set the Y-Axis unit to "bits per tick"). If so, you're just maxing out your connection. If not, filter on tcp.analysis.flags to see if there are plenty of lost packets, retransmissions etc.

permanent link

answered 23 Sep '13, 09:40

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Most of the time that I see this, it turns out that TCP Checksum off load is enabled for the Capturing NIC and I have TCP Checksum validation enabled in Wiresharek.

This issue is described / discussed in this previous answer http://ask.wireshark.org/questions/19013/ip-checksum-offload-error.

There are 2 options that I have found. 1) disable TCP Checksum validation in Wireshark under 'Edit -> Preferences -> Protocols -> TCP -> Validate the TCP checksum if possigle' This 'Removes' the error by not validating the checksums 2) Disable TCP Checksum off load on your NIC. This "Fixes" this issue,but on heavily used interfaces you may see some performance degradation.

permanent link

answered 23 Sep '13, 16:47

astrader's gravatar image

astrader
26336
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8

question asked: 23 Sep '13, 09:15

question was seen: 36,647 times

last updated: 23 Sep '13, 16:47

p​o​w​e​r​e​d by O​S​Q​A