tcpdump bad udp cksum 0x431e message

While troubleshooting a problem with Domain Name System (DNS) lookups on a CentOS 7 system, I ran tcpdump using the -vv option to get very verbose output. The output from tcpdump showed many "bad udp cksum 0x431b" messages.

# tcpdump -i enp1s4 -vv port 53
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 by
tes
15:04:44.432784 IP (tos 0x0, ttl 64, id 18564, offset 0, flags [DF], proto UDP (
17), length 75)
    moonpoint.com.39018 > 208.67.220.220.domain: [bad udp cksum 0x431e -> 0x9f9d
!] 29085+ A? 248.13.189.1.sbl.spamhaus.org. (47)
15:04:44.433856 IP (tos 0x0, ttl 64, id 21529, offset 0, flags [DF], proto UDP (
17), length 73)

As explained at UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading by Sokratis Galiatsis "This is caused because you have checksum offloading on your network card (NIC) and tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset. That’s why you only see errors in tcpdump and your network traffic works ok."

When I checked the settings for the network interface enp1s4 with the ethtool utility, I saw that checksumming offloading was on for receipt, i.e., rx, and transmisssion, tx, of packets:

Udemy Generic Category (English)120x600 
# ethtool --show-offload enp1s4
Features for enp1s4:
rx-checksumming: on
tx-checksumming: on
        tx-checksum-ipv4: on
        tx-checksum-ip-generic: off [fixed]
        tx-checksum-ipv6: off [fixed]
        tx-checksum-fcoe-crc: off [fixed]
        tx-checksum-sctp: off [fixed]
scatter-gather: on
        tx-scatter-gather: on
        tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
        tx-tcp-segmentation: off [fixed]
        tx-tcp-ecn-segmentation: off [fixed]
        tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: on [fixed]
rx-vlan-filter: off [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
busy-poll: off [fixed]
#

I turned offloading off with the command ethtool --offload enp1s4 rx off tx off and then checked the settings again. Note: you need to specify the appropriate network interface for your system, which could be eth0 or something else. You can see all of the network interfaces using the ifconfig command with ifconfig -a.

# ethtool --offload enp1s4 rx off tx off
# ethtool --show-offload enp1s4
Features for enp1s4:
rx-checksumming: off
tx-checksumming: off
        tx-checksum-ipv4: off
        tx-checksum-ip-generic: off [fixed]
        tx-checksum-ipv6: off [fixed]
        tx-checksum-fcoe-crc: off [fixed]
        tx-checksum-sctp: off [fixed]
scatter-gather: on
        tx-scatter-gather: on
        tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
        tx-tcp-segmentation: off [fixed]
        tx-tcp-ecn-segmentation: off [fixed]
        tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: on [fixed]
rx-vlan-filter: off [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-ipip-segmentation: off [fixed]
tx-sit-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
busy-poll: off [fixed]
#

Once I made that change, I no longer saw the "bad udp cksum 0x431e" messages when runing tcpdump with the -vv option. Instead, I saw "udp sum ok".

# tcpdump -i enp1s4 -vv port 53
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 bytes
15:18:18.235853 IP (tos 0x0, ttl 64, id 22127, offset 0, flags [DF], proto UDP (17), length 75)
    moonpoint.com.33085 > 207.255.176.40.domain: [udp sum ok] 20174+ A? 190.62.144.89.dnsbl.sorbs.net. (47)
15:18:18.236934 IP (tos 0x0, ttl 64, id 25354, offset 0, flags [DF], proto UDP (17), length 73)

For performance reasons, you should turn checksum offloading back on after you are finished troubleshooting with tcpdump, if you turn it off, as shown below:

# ethtool --offload enp1s4 rx on tx on
#

References:

  1. [SOLVED] Help needed disabling TCP/UDP checksum offloading in Debian
    Date posted: May 12, 2011
    LinuxQuestions.org
  2. tcpdump: Learning how to read UDP packets
    Written: July 15, 2012
    Mark Needham
  3. UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading
    Posted: April 1, 2012
    By: Sokratis Galiatsis
    Techie in IT

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px