2

I was testing tcpdump too see the traffic between HAProxy server and mariadb server. These are the results:

23:07:22.328958 00:0c:29:a9:28:a8 > 00:50:56:b0:e0:ea, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 62140, offset 0, flags [DF], proto TCP (6), length 52)
    172.24.2.51.46370 > 172.24.2.41.9200: Flags [.], cksum 0xcf6a (incorrect), seq 2091233458, ack 1346328093, win 229, options [nop,nop,TS val 2961588746 ecr 287872844], length 0
    0x0000:  4500 0034 f2bc 4000 4006 e966 ac18 033d  E..4..@.@..f...=
    0x0010:  ac18 0333 b522 23f0 7ca5 b0b2 503f 561d  ...3."#.|...P?V.
    0x0020:  8010 00e5 cf6a 0000 0101 080a b086 420a  .....j........B.
    0x0030:  1128 974c                                .(.L

23:07:22.328997 00:0c:29:a9:28:a8 > 00:50:56:b0:e0:ea, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 62141, offset 0, flags [DF], proto TCP (6), length 74)
    172.24.2.51.46370 > 172.24.2.41.9200: Flags [P.], cksum 0x460a (correct), seq 0:22, ack 1, win 229, options [nop,nop,TS val 2961588746 ecr 287872844], length 22
        0x0000:  4500 004a f2bd 4000 4006 e94f ac18 033d  E..J..@.@..O...=
        0x0010:  ac18 0333 b522 23f0 7ca5 b0b2 503f 561d  ...3."#.|...P?V.
        0x0020:  8018 00e5 460a 0000 0101 080a b086 420a  ....F.........B.
        0x0030:  1128 974c 4f50 5449 4f4e 5320 2f20 4854  .(.LOPTIONS./.HT
        0x0040:  5450 2f31 2e30 0d0a 0d0a                 TP/1.0....

23:07:22.357592 00:0c:29:a9:28:a8 > 00:50:56:b0:e0:ea, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 62142, offset 0, flags [DF], proto TCP (6), length 52)
    172.24.2.51.46370 > 172.24.2.41.9200: Flags [.], cksum 0xcf0a (correct), seq 22, ack 18, win 229, options [nop,nop,TS val 2961588774 ecr 287872873], length 0
        0x0000:  4500 0034 f2be 4000 4006 e964 ac18 033d  E..4..@.@..d...=
        0x0010:  ac18 0333 b522 23f0 7ca5 b0c8 503f 562e  ...3."#.|...P?V.
        0x0020:  8010 00e5 cf0a 0000 0101 080a b086 4226  ..............B&
        0x0030:  1128 9769                                .(.i

23:07:22.357641 00:0c:29:a9:28:a8 > 00:50:56:b0:e0:ea, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 62143, offset 0, flags [DF], proto TCP (6), length 52)
    172.24.2.51.46370 > 172.24.2.41.9200: Flags [R.], cksum 0xc1b3 (incorrect), seq 22, ack 18, win 229, options [nop,nop,TS val 0 ecr 287872873], length 0
        0x0000:  4500 0034 f2bf 4000 4006 e963 ac18 033d  E..4..@.@..c...=
        0x0010:  ac18 0333 b522 23f0 7ca5 b0c8 503f 562e  ...3."#.|...P?V.
        0x0020:  8014 00e5 c1b3 0000 0101 080a 0000 0000  ................
        0x0030:  1128 9769

As you see as example, there are two packets or frame that shows (incorrect).

What does it mean with (incorrect)? Does the network packet contain errors?

How can hexa checksum value help the integrity? For example the first packet, the cksum shows 0xcf6a. How can this value help the data integrity?

Regards

user3637971
  • 53
  • 1
  • 10
  • Most network (Ethernet and 802.11) cards made this century have 'offload' features that among other things do the checksum computations to reduce load on the CPU; this causes outgoing packets captured in the network stack, before being sent by the card, to have invalid checksums. See https://wiki.wireshark.org/CaptureSetup/Offloading and/or the `-K` option on the `tcpdump` man page. – dave_thompson_085 Mar 09 '19 at 09:21
  • Ok. If checksum could be wrong. So how can I actually check if data traffic received is correct? or how to validate the data traffic integrity? – user3637971 Mar 09 '19 at 15:28

1 Answers1

0

IP protocol uses header checksum:

From wikipedia

The checksum field is the 16-bit one's complement of the one's complement sum of all 16-bit words in the header. For purposes of computing the checksum, the value of the checksum field is zero.

This field is used as a mechanism to see if something has changed in IP header during the transmission (errors or man in the middle)

Soulimane Mammar
  • 179
  • 4