no-df and cksum errors in tcpdump
Daniel Hartmeier
daniel at benzedrine.cx
Tue May 31 06:15:29 PDT 2005
On Tue, May 31, 2005 at 01:55:49PM +0200, Derkjan de Haan wrote:
> The strange thing is that as soon as I remove the no-df from my pf
> configuration, the 'bad cksum' disappears. Has anybody seen this before ?
> Can it be that pf doesn't recompute the checksum after altering the packet
> ?
This can be perfectly fine, when you have a NIC that does checksum
calculation in hardware. In that case, pf will invalidate the packet
checksum with any modification (nat, modulate state, no-df, etc.) and
bpf (i.e. tcpdump, pflogd) will see packets before they actually reach
the NIC (which then fixes the checksum in hardware).
To make sure, tcpdump what goes out on the wire, from a second host
(like the peer or a sniffer). If you see invalid checksums on the wire,
then something is wrong. But you can't check this on the sending host
itself, due to the order in which bpf gets packets first.
Daniel
More information about the freebsd-pf
mailing list