search cancel

Unable to detect incidents from the network traffic


Article ID: 160629


Updated On:


Data Loss Prevention Network Monitor


No incidents are being generated
Opening the capture file i.e. pcap file/traffic feed in Wireshark will show invalid checksum errors.


This could be caused by the NIC having checksum offloading enabled.

Technical Background


Checksums are used to ensure the integrity of data portions for data transmission or storage. Network protocols very often use checksums to detect such errors as transmission errors.

Some checksum algorithms are able to recover (simple) errors by calculating where the expected error must be and repairing it.

Network data transmissions often produce errors, such as toggled, missing or duplicated bits. As a result, the data received might not be identical to the data transmitted. This is an undesired behavior when it comes to network traffic inspection because the traffic is at this point modified and no longer in its original form!


Further information about checksums can be found at:


Capture drivers (wireshark/tcpdump/packet capture) gets these empty checksums and interprets them as invalid, even though the packets will contain valid checksums when they leave the network hardware later. Packet capture is getting confused with these empty checksums, and considers the packet invalid; which what I see in the vpcap files i.e. there is no SMTP data segment, and hence no incident.




In order to correctly capture traffic by Monitor and validate the sanctity of the traffic feed 'checksum offloading' feature needs to be disabled for that hardware NIC provider.



How to disable checksum offloading




To check whether or not checksum offloading is disabled


                ethtool -k eth0



Turn off checksum offloading for both receiving and trandmitted data via


                ethtool -K eth0 tx off

                ethtool -K eth0 rx off





Check the specific system drivers to disable checksum offloading