Wireshark-bugs: [Wireshark-bugs] [Bug 10687] Feature Request: Bad Checksum 0x00000000
Date: Thu, 29 Jan 2015 19:15:41 +0000

Comment # 10 on bug 10687 from
(In reply to Sam from comment #8)
> What I am trying to say is that a checksum of 0x00000000 is different than
> if the checksum was a non-zero number and wrong. 

You keep using 4-byte checksums - are you referring to the Ethernet FCS?  If
not, which 2-byte checksum are you referring to?  I suspect you are referring
to TCP checksums, and assuming so, why again should a TCP checksum of 0x0000,
if incorrect, be treated any differently than any other incorrect checksum?  A
TCP checksum of 0x0000 could in fact be a perfectly valid checksum.  Or of
course it could be an invalid checksum, possibly due to checksum offloading or
possibly because of some other reason, just like any other incorrect checksum
value.

> On one hand you should probably follow the standards on how you handle this,

Which standard are you referring to?  If Wireshark is not following a
particular protocol standard, such as http://tools.ietf.org/html/rfc793, then
Wireshark should be fixed so that it does follow the standard.  I believe it is
following the standards though.

> but on the other hand it just means I am going to turn off checksum
> validation and if there was a problem with a checksum I would miss it.

Yes, that is the risk of disabling it.

> It would just be nice if a zero checksum returned some sort of warning about
> checksum offloading, but a non zero number returned an error that said the
> checksum was wrong.

You seem to be incorrectly assuming that if checksum offloading is enabled that
the checksum will be 0.  As Alexis pointed out in comment 2, and which I've
personally experienced, that is not necessarily the case.  Further, a TCP zero
checksum might not have anything to do with checksum offloading; it might just
be the actual transmitted checksum because well, that's what the algorithm
computed the checksum to be.

If checksum errors are suspected, then I think your best better is to use
Jeff's recommendation from comment 4.  Either that or capture using a separate
host where there's 0x0000 chance of checksum offloading affecting your results.


You are receiving this mail because:
  • You are watching all bug changes.