modifying bro.init

daniela.miao · February 4, 2010, 2:55am

Hi Everyone,

Thanks for your help before. I found that the DNS parser was giving me trouble due to many of the IP checksum errors. I don't really care much about these errors anyways.

I understand the boolean value of ignore_checksum is set to False in bro.init, do I just modify this file? A quick read through the wiki page tells me no, but I'm not sure exactly where to continue to.

I apologize if the issue seems trivial, I'm just starting to get the hang of the language.

Thank you,

Daniela

Seth_Hall · February 4, 2010, 4:03am

Thanks for your help before. I found that the DNS parser was giving me
trouble due to many of the IP checksum errors. I don't really care
much about these errors anyways.

Ah, that trips up everyone eventually I think.

I understand the boolean value of ignore_checksum is set to False in
bro.init, do I just modify this file?

Nope, you don't modify the bro.init script. See below.

I apologize if the issue seems trivial, I'm just starting to get the
hang of the language.

You have two options.

Either in a script you write and load on the command line...
redef ignore_checksum=T;

or run Bro this way....
bro -r test.pcap dns ignore_checksum=T

Feel free to ask more questions!

.Seth

Vern_Paxson4 · February 4, 2010, 6:14am

> Thanks for your help before. I found that the DNS parser was giving me
> trouble due to many of the IP checksum errors. I don't really care
> much about these errors anyways.

Ah, that trips up everyone eventually I think.

These comments confuse me. If a packet has an IP checksum error, then the
DNS parser shouldn't even analyze the packet. However, turning on
ignore_checksum=T will cause it to analyze the bad packet, so if anything
it should give trouble rather than reduce trouble.

Vern

Seth_Hall · February 4, 2010, 3:00pm

I left off the rest of my explanation for that statement. It seems like almost everyone eventually runs Bro against a tracefile that was captured on a NIC doing checksum offloading.

I know it happened to me and I had to find out how to ignore checksum errors. I think I found out about how to disable checksum checks from a post you made on the mailing list several years ago.

.Seth

Justin_Azoff · February 4, 2010, 3:23pm

Is that the same as using the -C option:

-C|--no-checksums | ignore checksums

Seth_Hall · February 4, 2010, 3:41pm

Oh yeah, that too.

.Seth

daniela.miao · February 5, 2010, 1:32am

Hi Seth,

That worked great, thanks a lot! But it seems that I shouldn't simply ignore the checksum errors, since now it's giving me an "unrecognized character" error.

Can I somehow log the checksum error but at least let the parser parse it anyways?

Thanks,

Daniela

Quoting Seth Hall <hall.692@osu.edu>:

Vern_Paxson4 · February 5, 2010, 1:40am

ignore the checksum errors, since now it's giving me an "unrecognized
character" error.

That usually means you left off a -r running against a trace, like

bro foo.trace http-request

rather than

bro -r foo.trace http-request

Bro is then trying to parse foo.trace as a script and the low-level scanner
flags an impossible (8-bit) character.

Vern

daniela.miao · February 5, 2010, 2:01am

Hi Vern,

It appears that you're absolutely right, my bad, thanks again!

Daniela

Quoting Vern Paxson <vern@icir.org>:

system · May 6, 2022, 3:39pm