- Posts: 154
- Thank you received: 0
Need some advice - Ethereal 'Black' packets - Checksum error
18 years 11 months ago #12772
by Starfire
[Reposted from OS Other to correct section]
Hi Firewall.cx peeps,
I'm a new member to firewall.cx (great site btw) and this is my first post. I'm having a problem trying to diagnose from Ethereal and I just don't have sufficient knowledge to fathom out the problem yet.
At work I have been tasked with tracking down network problems on a particular site and I have been using Ethereal to try and narrow down on the problems there.
I've spotted some obvious problems (a couple of network cards gone bad) and disconnected these from the network. This has cut down on the spamming traffic but they are still experiencing this 'slowness' .
Capturing all traffic at the site, I am getting 'Black' packets in Ethereal from certain PCs where the TCP portion of the packet is showing the Checksum is incorrect and should be something else. However, the action I am carrying out on the PC (firing up IE) functions correctly and the ethereal trace shows no request for retransmission of this supposedly bad packet.
The application in question is web based using an IPSec encrypted connection similar to internet banking I suppose and I am wondering if this encryption is changing this checksum. The application works fine (with no packet resend requests) but still there are these checksum errors.
Does anyone have a clue as to what is actualy happening here to give me a better understanding as to what is actualy going on here.
Most gratefull if anyone can help.
Regards
Star.
Hi Firewall.cx peeps,
I'm a new member to firewall.cx (great site btw) and this is my first post. I'm having a problem trying to diagnose from Ethereal and I just don't have sufficient knowledge to fathom out the problem yet.
At work I have been tasked with tracking down network problems on a particular site and I have been using Ethereal to try and narrow down on the problems there.
I've spotted some obvious problems (a couple of network cards gone bad) and disconnected these from the network. This has cut down on the spamming traffic but they are still experiencing this 'slowness' .
Capturing all traffic at the site, I am getting 'Black' packets in Ethereal from certain PCs where the TCP portion of the packet is showing the Checksum is incorrect and should be something else. However, the action I am carrying out on the PC (firing up IE) functions correctly and the ethereal trace shows no request for retransmission of this supposedly bad packet.
The application in question is web based using an IPSec encrypted connection similar to internet banking I suppose and I am wondering if this encryption is changing this checksum. The application works fine (with no packet resend requests) but still there are these checksum errors.
Does anyone have a clue as to what is actualy happening here to give me a better understanding as to what is actualy going on here.
Most gratefull if anyone can help.
Regards
Star.
18 years 10 months ago #13279
by d_jabsd
Replied by d_jabsd on topic Re: Need some advice - Ethereal 'Black' packets - Checksum error
Starfire, what nic are you using?
If the nic supports checksum offloading, you have 2 options:
1) turn off checksum offloading. You may experience a slight performance hit, but nothing worrisome unless the nic is installed in a heavily used server.
2) ignore that error. Defnitely investigate, but if the checksums are ok with offloading off, then you know its not a problem.
Ethereal does not know how to deal with checksum offloading found on some nics (I've seen it happen with Broadcom and Intel Nics... i'm sure others do the same).
Since the card is calculating the checksum before passing it on to the kernel, that field is left blank or populated with junk, making ethereal think the checksum failed. Normally this process is done by the cpu through the kernel.
If this is the case for you, I suggest ignoring ethereal since checksum calculation on the card is pretty nice and can boost performance by freeing up cpu cycle for more important things.
If the nic supports checksum offloading, you have 2 options:
1) turn off checksum offloading. You may experience a slight performance hit, but nothing worrisome unless the nic is installed in a heavily used server.
2) ignore that error. Defnitely investigate, but if the checksums are ok with offloading off, then you know its not a problem.
Ethereal does not know how to deal with checksum offloading found on some nics (I've seen it happen with Broadcom and Intel Nics... i'm sure others do the same).
Since the card is calculating the checksum before passing it on to the kernel, that field is left blank or populated with junk, making ethereal think the checksum failed. Normally this process is done by the cpu through the kernel.
If this is the case for you, I suggest ignoring ethereal since checksum calculation on the card is pretty nice and can boost performance by freeing up cpu cycle for more important things.
18 years 10 months ago #13301
by jwj
-Jeremy-
Replied by jwj on topic Re: Need some advice - Ethereal 'Black' packets - Checksum error
Very interesting post, d_jabsd. Any other sniffer's that do this that you know of?
-Jeremy-
18 years 10 months ago #13312
by Starfire
Replied by Starfire on topic Re: Need some advice - Ethereal 'Black' packets - Checksum error
Thanks d_jabsd,
From your response, I have looked further into this Checksum Offloading and found information on the Ethereal site regarding exactly this.
This is more of an Ethereal software problem as opposed to problems with the network I am still trying to sort out and your response allowed me to rule out these packets as the problem.
Many Thanks
From your response, I have looked further into this Checksum Offloading and found information on the Ethereal site regarding exactly this.
This is more of an Ethereal software problem as opposed to problems with the network I am still trying to sort out and your response allowed me to rule out these packets as the problem.
Many Thanks
18 years 10 months ago #13317
by d_jabsd
Not that I know of, but I can't say i've actually looked. I never tried to replicate the issue in ethereal under bsd/linux. It may or may not have the same result. I seem to remember reading that this was an issue isolated to windows, due to the interaction between user-land apps and kernel-land, but it may affect all OSs when checksum offloading is enabled.
Replied by d_jabsd on topic Re: Need some advice - Ethereal 'Black' packets - Checksum error
Very interesting post, d_jabsd. Any other sniffer's that do this that you know of?
Not that I know of, but I can't say i've actually looked. I never tried to replicate the issue in ethereal under bsd/linux. It may or may not have the same result. I seem to remember reading that this was an issue isolated to windows, due to the interaction between user-land apps and kernel-land, but it may affect all OSs when checksum offloading is enabled.
Time to create page: 0.125 seconds