WireShark 中为什么会出现 Tcp Checksum Offload?

其实经常在抓包的时候发现这个问题，今天才好奇的去Google了一下

简单的总结下，就是 wireshark 抓到的数据包提示Checksum错误，仅仅是因为它截获到的是操作系统胡乱填充的checksum，而千兆网卡在开启Checksum Offload之后，会把这些计算的工作交给网卡去做，网卡最后还是会计算出正确的checksum并且发出去的。

这几天在分析通讯报文的过程中发现WireShark里显示本机发出去的一些数据包Bad Checksum，并提示 maybe caused by “TCP checksum offload?” 或者 maybe caused by “UDP checksum offload?”

 Google了一下，发现这是网卡的一项功能，可以替代系统的TCP/IP协议栈来计算TCP包的校验和。

在windows系统中的Checksum Offload过程如下：

如果网卡支持，在高级选项里可以设置Checksum Offload是否对Rx或Tx有效，也可以设置为对两者都有效。

对于Tx，设置Checksum Offload有效之后，Windows的传输层将随机填充TCP校验和，因此在本机上抓取的数据包是Bad CheckSum。然后，网卡会自动计算正确的校验码然后发送，因此对方收到的仍然是正确的TCP包。

对于Rx，设置Checksum Offload有效之后，网卡在接收数据时，会填充一个NDIS_TCP_IP_CHECKSUM_PACKET_INFO 结构并设置标志位；如果由于某种原因失败，则不设置标志位，由Windows里的TCP/IP协议栈来完成数据校验。

CheckSum Offload实际上是将传输层的一部分工作交给了硬件完成，以节约系统的CPU资源。微软的测试表明它可以最多节约30%的CPU资源。IBM里AIX的文档则指出：对于PCI接口的千兆网卡来说还不如让400Mhz以上的CPU来计算校验和，而PCI-X的千兆网卡启用此项后可以达到线路速度，从而节约CPU资源。

解决方法：

windows 下可以再网卡的高级属性里将 checksum offload 属性改为none。

linux下使用 ethtool 命令关闭 checksum offload，具体命令如下： 

   #ethtool -K eth0 tx off rx off

[转载]转载：WireShark中为什么会出现Tcp Checksum Offload?_盛夏_樱花_新浪博客 

TCP checksum offload

最近进行网络协议分析的过程中发现WireShark里显示本机发出去的一些数据包incorrect Checksum，并提示 maybe caused by “TCP checksum offload”

Goole上搜索下，发现把系统中的Checksum Offload的设置改下就可以了。它网卡的一项功能，它可以替代系统的TCP/IP协议栈来计算TCP包的校验和。

Window系统中的Checksum Offload 在如下（如果网卡支持）：

My Network Places（右键点Properties）— Local Area Connection（右键点Properties） — General（点击Configure…） — Advanced

打开后，就看见旁边有Checksum Offload 点击后，在右边更改为Rx TCP/IP Checksum即可。

Checksum Offload的设置有四种：是否对Rx或Tx有效，也可以为对两者都有效。

对于Tx，设置Checksum Offload有效之后，Windows的传输层将随机填充TCP校验和，因此在本机上抓取的数据包是Bad CheckSum。然后，网卡会自动计算正确的校验码然后发送，因此对方收到的仍然是正确的TCP包。

对于Rx，设置Checksum Offload有效之后，网卡在接收数据时，会填充一个NDIS_TCP_IP_CHECKSUM_PACKET_INFO 结构并设置标志位；如果由于某种原因失败，则不设置标志位，由Windows里的TCP/IP协议栈来完成数据校验。

CheckSum Offload实际上是将传输层的一部分工作交给了硬件完成，以节约系统的CPU资源。微软的测试表明它可以最多节约30%的CPU资源。IBM里AIX的文档则指出：对于PCI接口的千兆网卡来说还不如让400Mhz以上的CPU来计算校验和，而PCI-X的千兆网卡启用此项后可以达到线路速度，从而节约CPU资源。

http://blog.csdn.net/ast_224/article/details/3788895

​A guide:

1. Open Device manager (right click "Computer" and click "Manage")
2. Click on "Device Manager"
3. Expand "Network adapters"
4. Right click your network adapter mine is called "Nvidia nForce 10/100/1000 Mbps Ethernet" etc.
5. click "properties"
6. click the tab named "Advanced"
7. Find "IP Checksum Offload" and click it
8. Put the value to the right to "Disabled"
9. Find "TCP Checksum offload (IPvX)
10. Set the value to the right to "Disabled"

http://www.techsupportforum.com/forums/f137/wireshark-question-tcp-checksum-offload-248812.html

Checksum Offload

On systems that support checksum offloading, IP, TCP, and UDP checksums are calculated on the NIC just before they're transmitted on the wire. In Wireshark these show up as outgoing packets marked black with red Text and the note [incorrect, should be xxxx (maybe caused by "TCP checksum offload"?)].

Wireshark captures packets before they are sent to the network adapter. It won't see the correct checksum because it has not been calculated yet. Even worse, most OSes don't bother initialize this data so you're probably seeing little chunks of memory that you shouldn't.

New installations of Wireshark 1.2 and above disable IP, TCP, and UDP checksum validation by default. You can disable checksum validation in each of those dissectors by hand if needed.

If you are experiencing network problems and while trying to figure it out with Wireshark you found these checksum errors, you may have a network card with TCP checksum offload enabled and for some reason the packet is not being fixed by the adapter (NAT, bridge or route redirection is sending the packet to another interface). In this case, you may want to check and disable checksum offload for the adapter, if possible.

Linux

Checksum offloading can be enabled and disabled with the ethtool command.

To check:

ethtool --show-offload  ethX

To disable:

ethtool --offload  ethX  rx off  tx off

Or, with some 3Com cards (see 3c59x vortex docs):

rmmod 3c59x ; modprobe 3c59x hw_checksums=0

Windows

In Windows, go to Control Panel->Network and Internet Connections->Network Connections, right click the connection to change and choose 'Properties'. Press the 'Configure...' button, choose the 'Advanced' tab to see or modify the "Offload Transmit TCP Checksum" and "Offload Receive TCP Checksum" values.

Segmentation Offload

Some cards can reassemble traffic. This will manifest itself in Wireshark as packets that are larger than expected, such as a 2900-byte packet on a network with a 1500-byte MTU. You can check and change offloading behavior on Linux and Windows using the methods described in the previous section.

TCP Chimney

Chimney offloading lets the NIC handle processing for established TCP connections. On Windows offloaded connections bypass WinPcap, which means that you won't capture TCP conversations.

netsh int ip set chimney disabled

CaptureSetup/Offloading - The Wireshark Wiki