[Bro] bad_tcp_checksum

Yohann THOMAS yohann.thomas at rd.francetelecom.com
Mon Jan 17 10:05:12 PST 2005

Here are the last results of my investigation ;-) :

-I confirm the bad tcp checksums when capturing with tcpdump, and I 
confirm that there is no bad tcp checksum with the computer on which Bro 
works correctly (using in both cases libpcap-0.8.3-5, which is the same 
as Bro),

-Bro works offline for all the tested computers with a correct dump, 

-Considering It "could" be due to the ethernet controller (strange, 
but...), I tried another one. In fact, my old computer had a PCnet32, so 
I tried this one on the other computer.
Result : it works !!! So, it first seems to confirm the problem isn't 
due to a conflict between software versions.
 Hum...In fact, I remember that I had Bro work very well with 3Com and 
Realtek chips, and also Intel e100...

...and suddenly, I come to the fact that the 2 computers on which I have 
bad tcp checksums have gigabit ethernet controllers...

Note that one is really used in a gigabit network, but the other one is 
on a 100Mbps network, so it is automatically restricted at 100Mbps.

So, my question is : Can the problem be due to the gigabit interfaces 
(even if one is used at a 100Mbps speed) ??? (Initialization problem ??? 


Christian Kreibich wrote:

>Hi Yohann,
>it looks like we should make sure it is actually a Bro problem first.
>When you run tcpdump on the link with -vvv and capturing entire packets,
>do you also see bad checksum warnings? Try to make sure the tcpdump is
>using the same libpcap as Bro before trying.
>On Mon, 2005-01-17 at 08:33 +0100, Yohann THOMAS wrote:
>>Hi everybody,
>>I've been using Bro on my computer on different purposes for a few 
>>months and till now, it always worked well ;-)
>>Unfortunately, I'm experiencing a problem for a few days.
>>In fact, when running Bro (with http.bro script) on some other 
>>computers, I have series of "bad_tcp_checksum" (with Linux) or
>>"bad_ip_checksum" (with FreeBSD), and only a few packets seems to be 
>>read correctly.
>>To sum up, here is the current situation :
>>->Bro still works on my computer (Linux Debian, Kernel 2.4.26 - Bro 0.8a87)
>>->I have "bad_tcp_checksum" or "bad_ip_checksum" in these (tested) cases 
>>(on 3 other computers) :
>>    1.Bro 0.8a87, 0.8a88, 0.9a7 on Linux Debian Kernel 2.6.8 and 2.4.26,
>>   installed with the same mirrors (same versions of libpcap in particular)
>>    2.Bro 0.8a37 (package) on FreeBSD 5.3
>>(Experiments were done on an operational network, but also directly 
>>between two computers with a crossover cable)
>>If it can be of interest (I don't really know why, but...), my computer 
>>has an
>>AMD PCnet32 ethernet controller. Bad checksums where obtained with Intel 
>>Broadcom controllers.
>>Hum... Any ideas are welcome... ;-)
>>Thanks by advance,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050117/2dcba508/attachment.html 

More information about the Bro mailing list