You are right. The machine where Bro is running generated BAD_TCP_Checksum
packets. This is why I didn't see any tcp traffic sent by this machine. Do you
think which part causes this checksum problem: IC card or system driver?
When we've seen this before, it was because the NIC offloading checksumming,
so packets capture by the packet filter didn't have their checksums filled in.
This was revealed via ifconfig, along the lines of:
1 % ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3<RXCSUM,TXCSUM>
inet 131.243.X.Y netmask 0xffffff00 broadcast 131.243.X.255
ether 00:01:02:03:04:05
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
If so, trying running bro with -C (ignore checksums).
Vern