[Bro] http_request event
vern at icir.org
Sun Jun 19 20:29:27 PDT 2005
> You are right. The machine where Bro is running generated BAD_TCP_Checksum
> packets. This is why I didn't see any tcp traffic sent by this machine. Do you
> think which part causes this checksum problem: IC card or system driver?
When we've seen this before, it was because the NIC offloading checksumming,
so packets capture by the packet filter didn't have their checksums filled in.
This was revealed via ifconfig, along the lines of:
1 % ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 131.243.X.Y netmask 0xffffff00 broadcast 131.243.X.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
If so, trying running bro with -C (ignore checksums).
More information about the Bro