Someone recently asked me if there were any "gotchas" to trying Bro. The only thing that I could think of is that if you're reading a PCAP with incorrect checksums, you need to use the -C flag. Having to point this out got me thinking - should this not be the default behavior? Bro already logs a weird for incorrect checksums; does it really make sense to have it ignore those packets? Should the option be flipped, to "enable strict checksum verification," or something like that?
with incorrect checksums, you need to use the -C flag. Having to point
this out got me thinking - should this not be the default behavior?
An argument for enabling the checksum check by default is that if a
checksum is broken, one can't trust the content of the packet anymore,
it could be just garbage, or truncated, and hence cause havoc later at
protocol decoding. However, a counter argument to that is that Bro
should be robust against broken packets anyways, even if the checksum
is correct.
Current git gives a warning when Bro believes that your packets
generally have incorrect checksums and you should hence use -C. I'm
hoping that will point people into the right direction more quickly.
However, I think I also wouldn't object to changing the default, as it
indeed has become a very common problem these days.
Bro already logs a weird for incorrect checksums;
But if the input generally doesn't have correct checksums, we also
don't really want all those logged as wierds.
I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums. I would rather push people down the right path as much as possible.
I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums. I would rather push people down the right path as much as possible.