Project

General

Profile

Actions

Bug #618

closed

TCP checksum seems to be broken

Added by Sergey Azoskov over 11 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using - master branch(02874a16f5068bdb62998d77582bcf4855251429)
System: Ubuntu 12.10
Dependences: via apt-get build-dep suricata
Configure options:

 configure \
    --enable-debug \
    --prefix=${PROJECT_DIR}/build/debug/

Packets, that was captured from PCAP-interface or PCAP-file, get wrong calculated tcp checksum and fail tcp checksum validation.

Running suricata (compiled with debug)

last-g@lastnotel:~/Workspace/suricata$ sudo build/debug/bin/suricata -i lo | grep Check
[26352] 6/11/2012 -- 22:45:36 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x242bf30 is invalid (computed: 48106, in packet: 12542)
[26352] 6/11/2012 -- 22:45:36 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2430a30 is invalid (computed: 22046, in packet: 12542)
[26352] 6/11/2012 -- 22:45:36 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2435530 is invalid (computed: 31238, in packet: 10494)
[26352] 6/11/2012 -- 22:45:39 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2443630 is invalid (computed: 53183, in packet: 14078)
[26352] 6/11/2012 -- 22:45:39 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2448130 is invalid (computed: 34559, in packet: 10494)
[26352] 6/11/2012 -- 22:45:42 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x244cc30 is invalid (computed: 45820, in packet: 10494)
[26352] 6/11/2012 -- 22:45:42 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2451730 is invalid (computed: 57593, in packet: 10494)
[26352] 6/11/2012 -- 22:45:42 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x2456230 is invalid (computed: 57337, in packet: 10494)
^C

Running tcpdump:

last-g@lastnotel:~/Workspace/suricata$ sudo tcpdump -i lo -w dump.pcap port 31337
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
^C8 packets captured
16 packets received by filter
0 packets dropped by kernel

Running testsuit:

last-g@lastnotel:~/Workspace/suricata$ nc -kl 31337 &
last-g@lastnotel:~/Workspace/suricata$ nc localhost 31337
HEllo, Kitty!

Same problems when running from capture:

last-g@lastnotel:~/Workspace/suricata$ sudo build/debug/bin/suricata -r dump.pcap | grep Check
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x3104fe0 is invalid (computed: 48106, in packet: 12542)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x3106080 is invalid (computed: 22046, in packet: 12542)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x3107120 is invalid (computed: 31238, in packet: 10494)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x31081c0 is invalid (computed: 53183, in packet: 14078)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x3109260 is invalid (computed: 34559, in packet: 10494)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x310a300 is invalid (computed: 45820, in packet: 10494)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x310b3a0 is invalid (computed: 57593, in packet: 10494)
[26377] 6/11/2012 -- 22:48:38 - (stream-tcp.c:4043) <Debug> (StreamTcpValidateChecksum) -- Checksum of received packet 0x310c440 is invalid (computed: 57337, in packet: 10494)

But wireshark says that all checksums are correct.
And have same problem on wlan0 interface.


Files

dump.pcap (710 Bytes) dump.pcap Problem dump Sergey Azoskov, 11/06/2012 10:53 AM
Actions #1

Updated by Eric Leblond over 11 years ago

I've just opened the provided file in wireshark. For the occasion, I've reactivated TCP checksum and wireshark indicate that the TCP checksums are invalid.
For example, for the first packet I have:

Checksum: 0xfe30 [incorrect, should be 0xeabb (maybe caused by "TCP checksum offload"?)]

I've runned tcpdump and it confirms the diagnostic.

Actions #2

Updated by Sergey Azoskov over 11 years ago

Yep, thanx.
Seems to be problem in harware checksum offload.

Found this old ticket: #311
Maybe need to change default value or behavior? Most of NICs now have checksum offload.

Sorry for uneasiness.

Actions #3

Updated by Eric Leblond over 11 years ago

The problem is complex and the current situation is not satisfactory. On live capture and in default mode, suricata is using 1000 packets to decide if offload checksumming is used. In pcap reading mode, even if the same algo is used, pcap are often smaller and this can lead to the analysis problem you've encounter. Any solution better than doing a double pass is more than welcome.

Actions #4

Updated by Sergey Azoskov over 11 years ago

We have problem only with TX packets, isn't it?
Skip by default checksum validation for packets that was sent from local adresses on live capture?

Actions #5

Updated by Victor Julien over 11 years ago

It's not always easy to determine where a packet came from. IP Address of the local host may be used, but that can be faked as well.

Actions #6

Updated by Jason Ish about 11 years ago

Command line option to for checksum validation one way or the other? Mostly useful for (small) pcap files.

Actions #7

Updated by Victor Julien about 11 years ago

We could maybe just mimic Snort's -k option...

Actions #8

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions #9

Updated by Andreas Herz over 7 years ago

Victor Julien wrote:

We could maybe just mimic Snort's -k option...

Isn't that solved then?

Actions #10

Updated by Victor Julien over 7 years ago

  • Status changed from New to Closed
  • Target version deleted (TBD)

Yes, in addition to what we have code to made an educated guess about checksums.

Actions

Also available in: Atom PDF