[Bro] UDP contents
vern at icir.org
Mon Jan 29 17:20:04 PST 2007
> 1170117967.140200 weird: bad_UDP_checksum
> 1170117967.140751 weird: bad_UDP_checksum
> 1170117967.141191 weird: bad_UDP_checksum
> 1170117967.142015 weird: bad_TCP_checksum
> 1170117967.142807 weird: bad_TCP_checksum
> So.. my current theory is there's something screwy with our local
> network and I intend to find out what's causing it.
It's very likely the problem is that for outbound packets, your local
packet capture occurs at a point in the kernel prior to when the checksums
are computed (this can especially be the case if your system has a form
of TCP offboard acceleration).
> This UDP traffic 'works' so I think Bro should be detecting
> it regardless of whether some networking equipment might be mangling the
> packets a bit.
You can test this by running Bro with -C to tell it to ignore checksum errors.
More information about the Bro