Red Hat Bugzilla – Bug 129778
tcpdump reports 'bad udp cksum' for valid domain packets - promiscuous mode problem?
Last modified: 2007-11-30 17:10:47 EST
Description of problem: tcpdump consistently reports "bad udp cksum" errors for all domain (nameserver) packets generated by the localhost, whether generated by resolver (glibc) or by named (bind), even though these packets are evidently valid (they go out on the wire and return valid responses). Version-Release number of selected component (if applicable): This happens both with kernel-2.6.7-1.509 and kernel-2.6.7-1.517. I've tried the both the current FC3 tcpdump (tcpdump-3.8.2-5) and the FC2 tcpdump (tcpdump-3.8.2-3) with both the above kernels, with identical results. This does NOT happen with tcpdump-3.8.2-3 and the FC2 kernel (2.6.6-1.435) . I'm using a new IBM ThinkPad T41 with the e1000 driver controlling an "Intel 82540EP Gigabit Ethernet Controller (Mobile) (rev 03)" ("Class 0280: 14b9:a504"). domain packets seen on the wire from other machines are also reported by tcpdump as having "bad udp cksum". I thought the kernel is meant not to send packets with invalid checksums on the wire, nor would a receiver of such a packet pass it to a socket to be handled; so when it is sent, it has a valid checksum, but when tcpdump gets it, it does not - so it looks to me like a 'Promiscuous Mode' problem. How reproducible: 100% Steps to Reproduce: 1. ensure 'nscd' is shut down $ service nscd stop 2. Run tcpdump to show domain packets $ tcpdump -nl -vv -xx -i eth0 -s 1500 port domain > /tmp/tcpdump.log& 3. Do a host query - either run : $ nslookup www.redhat.com or $ host www.redhat.com (These bypass glibc resolver) or use glibc resolver - compile attached "lookup.c" : $ gcc -o lookup lookup.c $ ./lookup www.redhat.com 4. $ pkill tcpdump Actual Results: Look at /tmp/tcpdump.log (attached) - every domain packet generated on the localhost is reported as having 'bad udp cksum', even though they go out on the wire and return valid responses. Expected results: Valid packets that are sent out on the wire by the kernel cannot have bad UDP checksums - tcpdump should not be getting mangled packets and reporting that they have bad udp checksums if they have been passed for sending by the kernel. Additional info: See attached tcpdump.log
Created attachment 102661 [details] tcpdump.log
Created attachment 102662 [details] lookup.c
If the card is going to checksum the UDP/TCP packet for us (which it will with your e1000 card and current drivers) then tcpdump is going to get a copy of the packet before checksumming occurs. Sorry, but this is how it works.