Re: false checksum failure reports

["ronnie sahlberg" <ronniesahlberg () gmail com>]

On Nov 7, 2007 12:54 PM, Rick Jones <rick.jones2 () hp com> wrote:
> Harley Stenzel wrote:
> > On Nov 6, 2007 2:03 PM, Rick Jones <rick.jones2 () hp com> wrote:
> >
> > > Any thoughts as to how to deal with false checksum failure reports for outbound
> > > traffic being sniffed on a system with ChecKsum Offload (CKO)?  It seems that
> > > linux has a flag they can set when capturing the packet that would tell us, not
> > > sure what other platforms might have
> >
> >
> > Love it.  It would be very nice to know if a packet's checksum will be
> > calculated in a CKO card.
>
> These are some of the specifics courtesy of folks over in the linux netdev
> mailing list:
>
> > The thing to check is "TP_STATUS_CSUMNOTREADY".
> >
> > When using mmap(), it will be provided in the descriptor.  When using
> > recvmsg() it will be provided via a PACKET_AUXDATA control message
> > when enabled via the PACKET_AUXDATA socket option.
>
> I have tried to take a quick first look at the pcap code for linux but wasn't in
> the correct frame of mind and so got lost rather quickly.
>
> Without a corresponding change to the binary file format (as in find a spare bit
> somewhere) the change would initially be limited to "live" tracing.  Not a
> complete solution, but a step in the right direction.
>
> Meanwhile, making certain that the docs/manpage etc call-out that tracing on a
> CKO capable system/NIC will result in false checksum failure reports for
> outbound traffic would be goodness.  I suppose I should have checked if that was
> already there before typing the previous sentence, but there you go :)

It should call out that "ON SOME SYSTEMS" this will result in the
checksum being reported as invalid.
Some popular systems put 0x0000 in the checksum field when CKO is used.
This allows tools such as wireshark to heuristically detect : checksum
is wrong, but the packet contains 0x0000   which is what several
popular implementations
store in the packet when CKO is used, so no need to flag it with
checksum invalid.

If pcap on linux would detect CKO and modify the packet to clear the
tcp checksum field to 0x0000 before passing it to the application
this would make tools such
as wireshark work correctly when capturing and also when reading files
without the need to modify the file format.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.