Should Bro Ignore PCAP Checksums by Default?

Vern · September 16, 2013, 10:06pm

[reviving an old thread]

> I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums. I would rather push people down the right path as much as possible.

My thoughts too.

I'm struck by how often new users continue to get bitten by needing -C
due to checksum offloading. Would it work to provide checksum auto-sensing?
Something like: if upon reading from an interface the very first packet
has a checksum error, assume that -C is needed; verify this, though, for
the next N packets, just to be safe.

Vern

Seth_Hall3 · September 17, 2013, 1:22am

Hrm, I'm conflicted this. I agree that would be a nice approach for my pragmatic side that wants Bro to fight and strive and do the best analysis but my strict side says that I'd like to get people to do the right thing.

I think I'm onboard with this idea. It would be nice to get fewer people tripping over that as long as we are careful to warn them whenever we're auto-disabling checksum validation.

.Seth

Topic		Replies	Views
Should Bro Ignore PCAP Checksums by Default? Development development	4	96	May 6, 2022
modifying bro.init Zeek	9	78	May 6, 2022
libpcap compatibility problem (Re: new bro "CURRENT" release - 0.8a57) Zeek	5	92	May 6, 2022
Artificial SYN-Packets? Zeek	5	89	May 6, 2022
bad_tcp_checksum Zeek	5	206	May 6, 2022

Should Bro Ignore PCAP Checksums by Default?

Related topics