[Bro] bad_tcp_checksum

Christian Kreibich christian at whoop.org
Mon Jan 17 08:15:59 PST 2005

Hi Yohann,

it looks like we should make sure it is actually a Bro problem first.
When you run tcpdump on the link with -vvv and capturing entire packets,
do you also see bad checksum warnings? Try to make sure the tcpdump is
using the same libpcap as Bro before trying.


On Mon, 2005-01-17 at 08:33 +0100, Yohann THOMAS wrote:
> Hi everybody,
> I've been using Bro on my computer on different purposes for a few 
> months and till now, it always worked well ;-)
> Unfortunately, I'm experiencing a problem for a few days.
> In fact, when running Bro (with http.bro script) on some other 
> computers, I have series of "bad_tcp_checksum" (with Linux) or
> "bad_ip_checksum" (with FreeBSD), and only a few packets seems to be 
> read correctly.
> To sum up, here is the current situation :
> ->Bro still works on my computer (Linux Debian, Kernel 2.4.26 - Bro 0.8a87)
> ->I have "bad_tcp_checksum" or "bad_ip_checksum" in these (tested) cases 
> (on 3 other computers) :
>     1.Bro 0.8a87, 0.8a88, 0.9a7 on Linux Debian Kernel 2.6.8 and 2.4.26,
>    installed with the same mirrors (same versions of libpcap in particular)
>     2.Bro 0.8a37 (package) on FreeBSD 5.3
> (Experiments were done on an operational network, but also directly 
> between two computers with a crossover cable)
> If it can be of interest (I don't really know why, but...), my computer 
> has an
> AMD PCnet32 ethernet controller. Bad checksums where obtained with Intel 
> and
> Broadcom controllers.
> Hum... Any ideas are welcome... ;-)
> Thanks by advance,
> Yohann.


More information about the Bro mailing list