Unable to detect incidents from the network traffic

book

Article ID: 160629

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

No incidents are being generated
Opening the capture file i.e. pcap file/traffic feed in Wireshark will show invalid checksum errors.

Resolution

This could be caused by the NIC having checksum offloading enabled.

Technical Background

 

Checksums are used to ensure the integrity of data portions for data transmission or storage. Network protocols very often use checksums to detect such errors as transmission errors.

Some checksum algorithms are able to recover (simple) errors by calculating where the expected error must be and repairing it.

Network data transmissions often produce errors, such as toggled, missing or duplicated bits. As a result, the data received might not be identical to the data transmitted. This is an undesired behavior when it comes to network traffic inspection because the traffic is at this point modified and no longer in its original form!

 

Further information about checksums can be found at: http://en.wikipedia.org/wiki/Checksum.

 

Capture drivers (wireshark/tcpdump/packet capture) gets these empty checksums and interprets them as invalid, even though the packets will contain valid checksums when they leave the network hardware later. Packet capture is getting confused with these empty checksums, and considers the packet invalid; which what I see in the vpcap files i.e. there is no SMTP data segment, and hence no incident.

 

Note:

 

In order to correctly capture traffic by Monitor and validate the sanctity of the traffic feed 'checksum offloading' feature needs to be disabled for that hardware NIC provider.

 

 

How to disable checksum offloading

 

Linux:

 

To check whether or not checksum offloading is disabled

 

                ethtool -k eth0

               

 

Turn off checksum offloading for both receiving and trandmitted data via

 

                ethtool -K eth0 tx off

                ethtool -K eth0 rx off

 

 

Windows:

 

Check the specific system drivers to disable checksum offloading