The next step is to record the traffic with tcpdump -w (using a snapshot
of -s 0 to capture entire packets) and then run bro against the trace using
bro -r trace rather than running it live. If it doesn't log any HTTP
session information, look at the trace using tcpdump -v -v to see whether
it *contains* any tcpdump traffic, and whether the traffic has valid
checksums.
Hi Vern,
You are right. The machine where Bro is running generated BAD_TCP_Checksum
packets. This is why I didn't see any tcp traffic sent by this machine. Do you
think which part causes this checksum problem: IC card or system driver? This
machine runs Fedora 3. Although it has this problem, I have used it for a long
time without any trouble. It seems Fedora system and Mozilla Firefox browser
ignore this checksum problem.
Try to run it using the -C option to ignore checksums
%bro -C -r <file> <script>
The checksum thing could be that your network interface takes care of the computing the checksums, thus pcap 'thinks' they are incorrect (they are fixed later by the NIC). Check %ifconfig -a and if you see something like <RXCSUM,TXCSUM> then that explains it