TCP Header Checksums Shown as Invalid in Network Monitor
This article was previously published under Q243294
This article has been archived. It is offered "as is" and will no longer be updated.
When you view a capture created in the Network Monitor tool, the checksum for the TCP header may show as being corrupted.
This behavior occurs because some Network Driver Interface Specification (NDIS) drivers allow Windows to offload the computation of checksums to the network adapter itself.
This feature was added to remove the computationally expensive checksum calculation operation from the main CPU, which generally results in improved performance. Network Monitor installs its filter driver between the NDIS driver for the network adapter and the TCP/IP stack. This results in captures of packets that are sent from the TCP/IP stack to the network driver being shown as having invalid checksums because they have not been calculated yet. The packet checksum is calculated before being sent to the network, which is why communication continues. The other computer has no knowledge of how or where the checksum is performed, only that the value is correct.
It is generally not a good idea to capture from one of the computers involved in the communication stream. Because this affects only the data from the specific computer, this should not adversely affect a capture.
netmon.exe nic interface card error offloading sniffer protocol analyzer
Article ID: 243294 - Last Review: 12/05/2015 16:11:01 - Revision: 5.2
Microsoft Windows XP Professional, Microsoft Windows XP Home Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Datacenter Server, Microsoft Windows NT Server 4.0 Standard Edition, Microsoft Windows NT Workstation 4.0 Developer Edition
- kbnosurvey kbarchive kbnetwork kbprb KB243294