diff --git a/tap/api/api.go b/tap/api/api.go
index d1d56e571..26fa9fe15 100644
--- a/tap/api/api.go
+++ b/tap/api/api.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -19,6 +20,10 @@ import (
 	"github.com/up9inc/mizu/tap/api/diagnose"
 )
 
+var checksum = flag.Bool("checksum", false, "Check TCP checksum")                                                      // global
+var nooptcheck = flag.Bool("nooptcheck", true, "Do not check TCP options (useful to ignore MSS on captures with TSO)") // global
+var ignorefsmerr = flag.Bool("ignorefsmerr", true, "Ignore TCP FSM errors")                                            // global
+
 const mizuTestEnvVar = "MIZU_TEST"
 const UNKNOWN_NAMESPACE = ""
 
diff --git a/tap/api/tcp_stream.go b/tap/api/tcp_stream.go
index ccc391c2a..408bf186d 100644
--- a/tap/api/tcp_stream.go
+++ b/tap/api/tcp_stream.go
@@ -45,17 +45,38 @@ func (t *TcpStream) Accept(tcp *layers.TCP, ci gopacket.CaptureInfo, dir reassem
 			t.fsmerr = true
 			diagnose.InternalStats.RejectConnFsm++
 		}
+		if !*ignorefsmerr {
+			return false
+		}
 	}
 	// Options
 	err := t.Optchecker.Accept(tcp, ci, dir, nextSeq, start)
 	if err != nil {
 		diagnose.TapErrors.SilentError("OptionChecker-rejection", "%s: Packet rejected by OptionChecker: %s", t.Ident, err)
 		diagnose.InternalStats.RejectOpt++
+		if !*nooptcheck {
+			return false
+		}
+	}
+	// Checksum
+	accept := true
+	if *checksum {
+		c, err := tcp.ComputeChecksum()
+		if err != nil {
+			diagnose.TapErrors.SilentError("ChecksumCompute", "%s: Got error computing checksum: %s", t.Ident, err)
+			accept = false
+		} else if c != 0x0 {
+			diagnose.TapErrors.SilentError("Checksum", "%s: Invalid checksum: 0x%x", t.Ident, c)
+			accept = false
+		}
+	}
+	if !accept {
+		diagnose.InternalStats.RejectOpt++
 	}
 
 	*start = true
 
-	return true
+	return accept
 }
 
 func (t *TcpStream) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.AssemblerContext) {