tcpdump bad udp cksum 0x431e message

While troubleshooting a problem with Domain Name System (DNS) lookups on a CentOS 7 system, I ran tcpdump using the -vv option to get very verbose output. The output from tcpdump showed many "bad udp cksum 0x431b" messages.

As explained at UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading by Sokratis Galiatsis "This is caused because you have checksum offloading on your network card (NIC) and tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset. That’s why you only see errors in tcpdump and your network traffic works ok."

[ More Info ]

[/os/unix/programs/network/tcpdump] permanent link

Using tcpdump to monitor connectivity to a host excluding a port

There are occasions where I need to monitor all traffic between two hosts with tcpdump, but I want to exclude the traffic for a particular port. E.g., I may be logged into a system via Secure Shell (SSH), but don't want to have the output of tcpdump cluttered with the SSH traffic. If you want to view traffic between the host you are logged into and a remote system, you can specify the remote system using tcpcump host remote_host where remote_host is the fully qualified domain name (FQDN) of the remote system, e.g. system1.example.com, or the IP address of the remote system. You can monitor only traffic to/from a particular port using the port port_number parameter where port_number is the relevant port. E.g., if I wanted to monitor only SSH traffic with the host system1.example.com for the standard SSH port, port 22, I could use the command below:

If you wish to have tcpdump monitor traffic based on two parameters, e.g., host name and port number in the example above, put the word and between the parameters. However, if I wanted to monitor all traffic to/from system1.example.com, except for traffic using port 22, I can put not before the word port.

[/os/unix/programs/network/tcpdump] permanent link