Should Bro Ignore PCAP Checksums by Default?

[reviving an old thread]

> I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums. I would rather push people down the right path as much as possible.

My thoughts too.

I'm struck by how often new users continue to get bitten by needing -C
due to checksum offloading. Would it work to provide checksum auto-sensing?
Something like: if upon reading from an interface the very first packet
has a checksum error, assume that -C is needed; verify this, though, for
the next N packets, just to be safe.


Hrm, I'm conflicted this. I agree that would be a nice approach for my pragmatic side that wants Bro to fight and strive and do the best analysis but my strict side says that I'd like to get people to do the right thing.

I think I'm onboard with this idea. It would be nice to get fewer people tripping over that as long as we are careful to warn them whenever we're auto-disabling checksum validation.