too much TCP checksum incorrect

1,196 views

Skip to first unread message

Pedro Henrique

unread,

Jun 24, 2021, 10:40:55 AM6/24/21

to Wazuh mailing list

Hello Guys.

I have seen a high volume of packets comming from agents, and when i go to investigate it, using tcpdump i got alot of incorrect checksum comming.

This Wazuh manager have only 2 agents and the load very high what is not normal.

Looking on my other wazuh-manager i see incorrect checksums but in a very low number.

Any clues about this ? Do you think this may be the cause of the high load on the manager?

Look this portion of log:

11:29:28.926888 IP (tos 0x0, ttl 64, id 21592, offset 0, flags [DF], proto TCP (6), length 52)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.35576: Flags [.], cksum 0x1b9a (incorrect -> 0x5c3e), seq 90, ack 1094, win 7043, options [nop,nop,TS val 64713035 ecr 1287554341], length 0

11:29:29.057235 IP (tos 0x0, ttl 115, id 3048, offset 0, flags [DF], proto TCP (6), length 1400)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [.], cksum 0x1738 (correct), seq 10962:12322, ack 1, win 1021, length 1360

11:29:29.057300 IP (tos 0x0, ttl 64, id 52119, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xd19a), seq 1, ack 12322, win 4602, length 0

11:29:29.057325 IP (tos 0x0, ttl 115, id 3049, offset 0, flags [DF], proto TCP (6), length 246)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x8bf4 (correct), seq 12322:12528, ack 1, win 1021, length 206

11:29:29.057336 IP (tos 0x0, ttl 64, id 52120, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xd0cd), seq 1, ack 12528, win 4601, length 0

11:29:29.059204 IP (tos 0x0, ttl 115, id 3050, offset 0, flags [DF], proto TCP (6), length 1606)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x21aa (incorrect -> 0xc619), seq 12528:14094, ack 1, win 1021, length 1566

11:29:29.059274 IP (tos 0x0, ttl 64, id 52121, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xcaae), seq 1, ack 14094, win 4602, length 0

11:29:29.070696 IP (tos 0x0, ttl 115, id 3052, offset 0, flags [DF], proto TCP (6), length 1606)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x21aa (incorrect -> 0x9ffe), seq 14094:15660, ack 1, win 1021, length 1566

11:29:29.070762 IP (tos 0x0, ttl 64, id 52122, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xc490), seq 1, ack 15660, win 4602, length 0

11:29:29.417444 IP (tos 0x20, ttl 109, id 7546, offset 0, flags [DF], proto TCP (6), length 1558)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [P.], cksum 0x24da (incorrect -> 0x01d3), seq 1518:3036, ack 1, win 510, length 1518

11:29:29.417499 IP (tos 0x20, ttl 109, id 7548, offset 0, flags [DF], proto TCP (6), length 1558)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [P.], cksum 0x24da (incorrect -> 0x9213), seq 3036:4554, ack 1, win 510, length 1518

11:29:29.417611 IP (tos 0x0, ttl 64, id 48482, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.17611: Flags [.], cksum 0x1eec (incorrect -> 0xe412), seq 1, ack 4554, win 1462, length 0

11:29:29.428599 IP (tos 0x20, ttl 109, id 7550, offset 0, flags [DF], proto TCP (6), length 1400)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [.], cksum 0x3d89 (correct), seq 4554:5914, ack 1, win 510, length 1360

11:29:29.428663 IP (tos 0x20, ttl 109, id 7551, offset 0, flags [DF], proto TCP (6), length 198)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [P.], cksum 0xed60 (correct), seq 5914:6072, ack 1, win 510, length 158

11:29:29.428721 IP (tos 0x0, ttl 64, id 48483, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.17611: Flags [.], cksum 0x1eec (incorrect -> 0xde24), seq 1, ack 6072, win 1462, length 0

11:29:29.446643 IP (tos 0x20, ttl 109, id 7555, offset 0, flags [DF], proto TCP (6), length 1400)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [.], cksum 0xd5a1 (correct), seq 6072:7432, ack 1, win 510, length 1360

11:29:29.446695 IP (tos 0x20, ttl 109, id 7556, offset 0, flags [DF], proto TCP (6), length 182)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [P.], cksum 0x1d5a (correct), seq 7432:7574, ack 1, win 510, length 142

11:29:29.446758 IP (tos 0x0, ttl 64, id 48484, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.17611: Flags [.], cksum 0x1eec (incorrect -> 0xd846), seq 1, ack 7574, win 1462, length 0

11:29:30.104425 IP (tos 0x0, ttl 115, id 3054, offset 0, flags [DF], proto TCP (6), length 1400)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [.], cksum 0xe039 (correct), seq 15660:17020, ack 1, win 1021, length 1360

11:29:30.104490 IP (tos 0x0, ttl 64, id 52123, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xbf40), seq 1, ack 17020, win 4602, length 0

11:29:30.104523 IP (tos 0x0, ttl 115, id 3055, offset 0, flags [DF], proto TCP (6), length 246)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x5723 (correct), seq 17020:17226, ack 1, win 1021, length 206

11:29:30.104535 IP (tos 0x0, ttl 64, id 52124, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xbe73), seq 1, ack 17226, win 4601, length 0

11:29:30.106110 IP (tos 0x0, ttl 115, id 3056, offset 0, flags [DF], proto TCP (6), length 1606)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x21aa (incorrect -> 0x4669), seq 17226:18792, ack 1, win 1021, length 1566

11:29:30.106149 IP (tos 0x0, ttl 64, id 52125, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xb854), seq 1, ack 18792, win 4602, length 0

11:29:30.117584 IP (tos 0x0, ttl 115, id 3058, offset 0, flags [DF], proto TCP (6), length 1606)

xxx.xxx.xxx.xxx.56544 > wazuh.manager.1514: Flags [P.], cksum 0x21aa (incorrect -> 0x9b49), seq 18792:20358, ack 1, win 1021, length 1566

11:29:30.117650 IP (tos 0x0, ttl 64, id 52126, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.56544: Flags [.], cksum 0x1b8c (incorrect -> 0xb242), seq 1, ack 20358, win 4590, length 0

11:29:30.381294 IP (tos 0x20, ttl 109, id 7577, offset 0, flags [DF], proto TCP (6), length 310)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [P.], cksum 0xc280 (correct), seq 7574:7844, ack 1, win 510, length 270

11:29:30.424902 IP (tos 0x0, ttl 64, id 48485, offset 0, flags [DF], proto TCP (6), length 40)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.17611: Flags [.], cksum 0x1eec (incorrect -> 0xd738), seq 1, ack 7844, win 1462, length 0

11:29:30.459526 IP (tos 0x0, ttl 64, id 48486, offset 0, flags [DF], proto TCP (6), length 129)

wazuh.manager.1514 > xxx.xxx.xxx.xxx.17611: Flags [P.], cksum 0x1f45 (incorrect -> 0x5b7b), seq 1:90, ack 7844, win 1462, length 89

11:29:30.666636 IP (tos 0x20, ttl 109, id 7583, offset 0, flags [DF], proto TCP (6), length 40)

xxx.xxx.xxx.xxx.17611 > wazuh.manager.1514: Flags [.], cksum 0xda92 (correct), seq 7844, ack 90, win 515, length 0

Thanks in advance

jeremias...@wazuh.com

unread,

Jul 5, 2021, 11:43:39 AM7/5/21

to Wazuh mailing list

Hi Pedro Enrique,
Thank you for using Wazuh!

The high amount of packets is probably related to the number of incorrect checksums. A higher number of packets increase the possibilities of checksum errors, and if you have an unstable network connection leading to more checksum errors, there will be more re-sent packets, increasing the number of received bytes.

But, if you consider that the traffic between the manager and the agent is un-normal we can check in Wazuh logs to see if there is any problem there.
Can you share with me the manager and the agents log (/var/ossec/logs/ossec.log) file so I can investigate if there is any problem during the communication.

Best regards.

Reply all

Reply to author

Forward

0 new messages