Hello Richard, >>> "Richard Whittaker" <[EMAIL PROTECTED]> 12/12/07 12:57 PM >>> > We've done a couple of rounds of network captures > of serveral workstations, and have run into some > significant "oddness"... > > In the first round of captures, on 6 of the 8 workstations > there were in excess of 50% of all packets tagged > at "TCP CHECKSUM INCORRECT"... > > Did some research, found the option to disable TCP > checksumming, and re-ran the captures... We're getting > the same results on the same workstations... Is this a > badly configured network/workstation/driver?...
I assume that you are sniffer ON the machines? If so, were those "50% of all packets" the packets that originated on the station that you were running the sniff on? Then the problem is MOST definitely is checksum offloading, the OS is leaving up to the NIC card to do the calculation and Wireshark only gets to see the egress frames BEFORE the TCP checksum has been calculated. Where did you try to "disable TCP checksumming" within the driver for the NIC card to force the OS to do the TCP checksumming? Or within Wireshark where you can enable/disable the TCP Preference "Validate the TCP checksum if possible". If you disabled this preference within Wireshark I would think that you shouldn't see any checksum incorrect messages. If you are sniffing both hosts on either sides of a TCP session you MAY see that the ingress frames from the peer node have CORRECT TCP checksums. This is a dead giveaway that TCP checksumming is involved. Hope this helps, Jim Y. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
