tcpdump mailing list archives
Re: false checksum failure reports
From: Rick Jones <rick.jones2 () hp com>
Date: Wed, 07 Nov 2007 10:28:33 -0800
ronnie sahlberg wrote:
On Nov 7, 2007 12:54 PM, Rick Jones <rick.jones2 () hp com> wrote:Harley Stenzel wrote:On Nov 6, 2007 2:03 PM, Rick Jones <rick.jones2 () hp com> wrote:Any thoughts as to how to deal with false checksum failure reports for outbound traffic being sniffed on a system with ChecKsum Offload (CKO)? It seems that linux has a flag they can set when capturing the packet that would tell us, not sure what other platforms might haveLove it. It would be very nice to know if a packet's checksum will be calculated in a CKO card.These are some of the specifics courtesy of folks over in the linux netdev mailing list:The thing to check is "TP_STATUS_CSUMNOTREADY". When using mmap(), it will be provided in the descriptor. When using recvmsg() it will be provided via a PACKET_AUXDATA control message when enabled via the PACKET_AUXDATA socket option.I have tried to take a quick first look at the pcap code for linux but wasn't in the correct frame of mind and so got lost rather quickly. Without a corresponding change to the binary file format (as in find a spare bit somewhere) the change would initially be limited to "live" tracing. Not a complete solution, but a step in the right direction. Meanwhile, making certain that the docs/manpage etc call-out that tracing on a CKO capable system/NIC will result in false checksum failure reports for outbound traffic would be goodness. I suppose I should have checked if that was already there before typing the previous sentence, but there you go :)It should call out that "ON SOME SYSTEMS" this will result in the checksum being reported as invalid. Some popular systems put 0x0000 in the checksum field when CKO is used. This allows tools such as wireshark to heuristically detect : checksum is wrong, but the packet contains 0x0000 which is what several popular implementations store in the packet when CKO is used, so no need to flag it with checksum invalid.
We could be more specific about which systems, sure.
If pcap on linux would detect CKO and modify the packet to clear the tcp checksum field to 0x0000 before passing it to the application this would make tools such as wireshark work correctly when capturing and also when reading files without the need to modify the file format.
Well, many (most? all?) of the CKO implementations in the NICs call for the pseudo-header checksum to be in the checksum field. So, for a stack to modify it for the purposes of tracing implies that the stack is making a copy of the packet being traced before handing that to the user.
I'm not sure if Linux is doing that copy. I hope it isn't because packet tracing is expensive enough as it is and knuth only knows what it would be like for a 10 Gig NIC.
Making a copy just to communicate one bit of information doesn't seem like a very efficient way to do things.
rick jones - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- false checksum failure reports Rick Jones (Nov 06)
- Re: false checksum failure reports Harley Stenzel (Nov 06)
- Re: false checksum failure reports Rick Jones (Nov 06)
- Re: false checksum failure reports ronnie sahlberg (Nov 06)
- Re: false checksum failure reports Rick Jones (Nov 07)
- Re: false checksum failure reports Rick Jones (Nov 06)
- Re: false checksum failure reports Harley Stenzel (Nov 06)