A tcpdump pcap exported and being investigated on another machine with wireshark is showing a lot of invalid TCP checksum messages. This is a known and documented phenomenon when using TCP offload functionality: https://wiki.wireshark.org/TCP_Checksum_Verification
The only thing that is unclear is why the checksum is incorrect?
TCP checksums are calculated over the entire TCP segment with the help of a pseudo header and using the temporary checksum value of all zeros durring the process of checksum calculation (http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm#Figure_218). The pseaudoheader is then discarded. Where does the difference creep in?
Best Answer
A TCP segment is located in computer RAM. It contains all the fields required for the TCP segment.
When TCP checksum offload is used, this is what happens when transmitting a segment:
The OS fills out every field in the TCP segment in the memory, EXCEPT for the checksum. The checksum field is not computed by the OS, it contains whatever data there was before in that memory location.
Now, packet capture tools like Wireshark capture the contents of this memory location, which contains a TCP segment without a computed checksum.
When the OS sends the segment to the NIC, the NIC hardware then performs the checksum computation, and puts the computed checksum to the particular TCP segment field. This checksum is never seen by the OS or capture tool.
This is the reason why Wireshark reports those errors.