Incorrect IP checksums in Avalanche, what gives?

A question that we see a lot is this one:

“Why does Wiresharks sees packets generated by Avalanche as invalid?”

Or alternatively:

“Avalanche generates bad traffic! Just look at the PCAPs it generates, they are incorrect!!!!1111!!one”

And it’s true, when you open a PCAP generated by Avalanche, you’ll see that the packets going out of the interfaces are highlighted in red by Wireshark:

If we take a closer look, we’ll see that something is weird. Checksum is … 0x0000? When it should be 0x0e35, as per Wireshark calculations. Another odd thing is that the packets sent by the server seem okay:

The plot thickens! Now let’s take a look at the same packet than the first one, but captured from the server-side (when doing trial runs, Avalanche will automatically generate PCAPs for both sides) :

Now the same packet as the first one is correct, with the right checksum (0x0e35).

To sum up:

  • Packets sent from the clients are seen as invalid in the client-side capture
  • Packets received from the servers are seen as valid in the client-side capture
  • Packets sent from the clients are seen as valid in the server-side capture

The reason should be (sort of) obvious now. What happens is that when we capture the PCAP data, we do it at the driver level – before the packets are pushed to the NIC. And we offload to the NIC the calculation of the checksum – so the checksum is not even calculated, triggering the alerts in Wireshark. This is why the packets received from the other end are shown as valid. Alternatively, tapping the traffic would show that both sides send valid packets.


About acastaner

I'm the EMEA Technical Lead for Application & Security at Spirent. I specialize in layer 4-7 technologies, Cloud, Programming and CyberSecurity.
This entry was posted in Tutorial and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s