Hi Everyone,
Thanks for your help before. I found that the DNS parser was giving me trouble due to many of the IP checksum errors. I don't really care much about these errors anyways.
I understand the boolean value of ignore_checksum is set to False in bro.init, do I just modify this file? A quick read through the wiki page tells me no, but I'm not sure exactly where to continue to.
I apologize if the issue seems trivial, I'm just starting to get the hang of the language.
Thank you,
Daniela
Thanks for your help before. I found that the DNS parser was giving me
trouble due to many of the IP checksum errors. I don't really care
much about these errors anyways.
Ah, that trips up everyone eventually I think. 
I understand the boolean value of ignore_checksum is set to False in
bro.init, do I just modify this file?
Nope, you don't modify the bro.init script. See below.
I apologize if the issue seems trivial, I'm just starting to get the
hang of the language.
You have two options.
Either in a script you write and load on the command line...
redef ignore_checksum=T;
or run Bro this way....
bro -r test.pcap dns ignore_checksum=T
Feel free to ask more questions!
.Seth
> Thanks for your help before. I found that the DNS parser was giving me
> trouble due to many of the IP checksum errors. I don't really care
> much about these errors anyways.Ah, that trips up everyone eventually I think.
These comments confuse me. If a packet has an IP checksum error, then the
DNS parser shouldn't even analyze the packet. However, turning on
ignore_checksum=T will cause it to analyze the bad packet, so if anything
it should give trouble rather than reduce trouble.
Vern
I left off the rest of my explanation for that statement. 
It seems like almost everyone eventually runs Bro against a tracefile that was captured on a NIC doing checksum offloading.
I know it happened to me and I had to find out how to ignore checksum errors. I think I found out about how to disable checksum checks from a post you made on the mailing list several years ago. 
.Seth
Is that the same as using the -C option:
-C|--no-checksums | ignore checksums
Oh yeah, that too.
.Seth
Hi Seth,
That worked great, thanks a lot! But it seems that I shouldn't simply ignore the checksum errors, since now it's giving me an "unrecognized character" error.
Can I somehow log the checksum error but at least let the parser parse it anyways?
Thanks,
Daniela
Quoting Seth Hall <hall.692@osu.edu>:
ignore the checksum errors, since now it's giving me an "unrecognized
character" error.
That usually means you left off a -r running against a trace, like
bro foo.trace http-request
rather than
bro -r foo.trace http-request
Bro is then trying to parse foo.trace as a script and the low-level scanner
flags an impossible (8-bit) character.
Vern
Hi Vern,
It appears that you're absolutely right, my bad, thanks again!
Daniela
Quoting Vern Paxson <vern@icir.org>: