Unable to detect incidents from the network traffic
Last Updated July 29, 2014
No incidents are being generated Opening the capture file i.e. pcap file/traffic feed in Wireshark will show invalid checksum errors.
This could be caused by the NIC having checksum offloading enabled.
Checksums are used to ensure the integrity of data portions for data transmission or storage. Network protocols very often use checksums to detect such errors as transmission errors.
Some checksum algorithms are able to recover (simple) errors by calculating where the expected error must be and repairing it.
Network data transmissions often produce errors, such as toggled, missing or duplicated bits. As a result, the data received might not be identical to the data transmitted. This is an undesired behavior when it comes to network traffic inspection because the traffic is at this point modified and no longer in its original form!
Capture drivers (wireshark/tcpdump/packet capture) gets these empty checksums and interprets them as invalid, even though the packets will contain valid checksums when they leave the network hardware later. Packet capture is getting confused with these empty checksums, and considers the packet invalid; which what I see in the vpcap files i.e. there is no SMTP data segment, and hence no incident.
In order to correctly capture traffic by Monitor and validate the sanctity of the traffic feed 'checksum offloading' feature needs to be disabled for that hardware NIC provider.
How to disable checksum offloading
To check whether or not checksum offloading is disabled
ethtool -k eth0
Turn off checksum offloading for both receiving and trandmitted data via
ethtool -K eth0 tx off
ethtool -K eth0 rx off
Check the specific system drivers to disable checksum offloading
Imported Document ID: TECH221748
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe