A question that we see a lot is this one:
“Why does Wiresharks sees packets generated by Avalanche as invalid?”
“Avalanche generates bad traffic! Just look at the PCAPs it generates, they are incorrect!!!!1111!!one”
And it’s true, when you open a PCAP generated by Avalanche, you’ll see that the packets going out of the interfaces are highlighted in red by Wireshark:
If we take a closer look, we’ll see that something is weird. Checksum is … 0x0000? When it should be 0x0e35, as per Wireshark calculations. Another odd thing is that the packets sent by the server seem okay:
The plot thickens! Now let’s take a look at the same packet than the first one, but captured from the server-side (when doing trial runs, Avalanche will automatically generate PCAPs for both sides) :
Now the same packet as the first one is correct, with the right checksum (0x0e35).
To sum up:
- Packets sent from the clients are seen as invalid in the client-side capture
- Packets received from the servers are seen as valid in the client-side capture
- Packets sent from the clients are seen as valid in the server-side capture
The reason should be (sort of) obvious now. What happens is that when we capture the PCAP data, we do it at the driver level – before the packets are pushed to the NIC. And we offload to the NIC the calculation of the checksum – so the checksum is not even calculated, triggering the alerts in Wireshark. This is why the packets received from the other end are shown as valid. Alternatively, tapping the traffic would show that both sides send valid packets.