Hi everyone,
Zeek documentation states one way to ignore bad packet checksums is to add '-C' options to the zeek command. I use zeekctl to start the zeek process. Which configuration file and/or variable should I use to specify this option?
Regards,
Use:
zeekargs = --no-checksums
in your zeekctl.cfg
James
Hi James,
Your suggestion resolved the issue. Thanks for your time.
For the sake of completeness, I will add the warning I used to get anytime I ran zeekctl diag:
Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54