Tadek’s Blog

While playing with tcpdump and bro I noticed that all outgoing packets have garbled TCP checksums. The diagnosis was simple: TCP checksum offloading. The real question was how to disable it

After a big of googling I found the magic command:

sysctl -w net.link.ether.inet.apple_hwcksum_tx=0
sysctl -w net.link.ether.inet.apple_hwcksum_rx=0

There’s one catch though. Disabling TCP checksum offloading effectively corrupts TCP checksum on the lo interface and, as you can well imagine, things stop working. In particular, you will not be able to start any graphical applications anymore… So it looks either playing with the network or working… There’s no free lunch.

At the end the solution with bro turned out to be simpler – you can tell it to ignore checksums with -C flag as everything works as on my linux box.

BTW: my favourite bro command

bro -C -i en0 conn http-request http-reply [http-headers] [http-body]

writes connection summaries to conn.log and http-related stuff to http.log. Depending on the amount of details you need, you can have: only requests, requests plus information about the results (HTTP return code and the size of the result). Additional modules record the browser headers or even the entire page loaded.

This entry was posted on Wednesday, November 15th, 2006 at 3:55 pm and is filed under Tips&Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.