Fixing Wireshark’s “TCP checksum offload” error in linux

On some linux machines when you run wireshark you may notice that a lot of packets are marked as invalid (highlighted as black). The contents looks perfectly correct, but for some reason checksum is brkoen and wireshark suggestes that the reason for such unpleasant event is “TCP checksum offload”. Let’s fix it …

I didn’t actually dive too deep into the problem (sorry, it’s Sunday and still a lot of stuff to finish) but it appeared the problem is in some miscoordination between the OS (I use Linux, but the problem is also visible in Windows) and the network adapter and its driver. Modern network adapters allow offloading some networking tasks from the CPU to their own processor optimized for certain tasks, like caculating TCP packet checksum, for instance. So what’s causing the problem is that while the OS expects the NIC calculate correct checksum wireshark and other network sniffers do not see that working. The solution is simple: just turn this feature off with the following command:
ethtool --offload eth0 rx off tx off
You don’t need to restart your computer or network stack, the changes take effect immediately and affect all programs, including already running ones. Good luck!

Leave a Reply