Re: false checksum failure reports

[Rick Jones <rick.jones2 () hp com>]

ronnie sahlberg wrote:
> On Nov 7, 2007 12:54 PM, Rick Jones <rick.jones2 () hp com> wrote:
>
> > Harley Stenzel wrote:
> >
> > > On Nov 6, 2007 2:03 PM, Rick Jones <rick.jones2 () hp com> wrote:
> > >
> > >
> > > > Any thoughts as to how to deal with false checksum failure reports for outbound
> > > > traffic being sniffed on a system with ChecKsum Offload (CKO)?  It seems that
> > > > linux has a flag they can set when capturing the packet that would tell us, not
> > > > sure what other platforms might have
> > >
> > >
> > > Love it.  It would be very nice to know if a packet's checksum will be
> > > calculated in a CKO card.
> >
> > These are some of the specifics courtesy of folks over in the linux netdev
> > mailing list:
> >
> >
> > > The thing to check is "TP_STATUS_CSUMNOTREADY".
> > >
> > > When using mmap(), it will be provided in the descriptor.  When using
> > > recvmsg() it will be provided via a PACKET_AUXDATA control message
> > > when enabled via the PACKET_AUXDATA socket option.
> >
> > I have tried to take a quick first look at the pcap code for linux but wasn't in
> > the correct frame of mind and so got lost rather quickly.
> >
> > Without a corresponding change to the binary file format (as in find a spare bit
> > somewhere) the change would initially be limited to "live" tracing.  Not a
> > complete solution, but a step in the right direction.
> >
> > Meanwhile, making certain that the docs/manpage etc call-out that tracing on a
> > CKO capable system/NIC will result in false checksum failure reports for
> > outbound traffic would be goodness.  I suppose I should have checked if that was
> > already there before typing the previous sentence, but there you go :)
>
>
> It should call out that "ON SOME SYSTEMS" this will result in the checksum
> being reported as invalid. Some popular systems put 0x0000 in the checksum
> field when CKO is used. This allows tools such as wireshark to heuristically
> detect : checksum is wrong, but the packet contains 0x0000 which is what
> several popular implementations store in the packet when CKO is used, so no
> need to flag it with checksum invalid.

We could be more specific about which systems, sure.

> If pcap on linux would detect CKO and modify the packet to clear the tcp
> checksum field to 0x0000 before passing it to the application this would make
> tools such as wireshark work correctly when capturing and also when reading
> files without the need to modify the file format.

Well, many (most? all?) of the CKO implementations in the NICs call for the 
pseudo-header checksum to be in the checksum field.  So, for a stack to modify 
it for the purposes of tracing implies that the stack is making a copy of the 
packet being traced before handing that to the user.

I'm not sure if Linux is doing that copy.  I hope it isn't because packet 
tracing is expensive enough as it is and knuth only knows what it would be like 
for a 10 Gig NIC.

Making a copy just to communicate one bit of information doesn't seem like a 
very efficient way to do things.

rick jones
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.