[Bro] modifying bro.init

daniela.miao at utoronto.ca daniela.miao at utoronto.ca
Thu Feb 4 17:32:03 PST 2010

Hi Seth,

That worked great, thanks a lot! But it seems that I shouldn't simply  
ignore the checksum errors, since now it's giving me an "unrecognized  
character" error.

Can I somehow log the checksum error but at least let the parser parse  
it anyways?



Quoting Seth Hall <hall.692 at osu.edu>:

> On Feb 3, 2010, at 9:55 PM, daniela.miao at utoronto.ca wrote:
>> Thanks for your help before. I found that the DNS parser was giving me
>> trouble due to many of the IP checksum errors. I don't really care
>> much about these errors anyways.
> Ah, that trips up everyone eventually I think. :)
>> I understand the boolean value of ignore_checksum is set to False in
>> bro.init, do I just modify this file?
> Nope, you don't modify the bro.init script.  See below.
>> I apologize if the issue seems trivial, I'm just starting to get the
>> hang of the language.
> You have two options.
> Either in a script you write and load on the command line...
> redef ignore_checksum=T;
> or run Bro this way....
> bro -r test.pcap dns ignore_checksum=T
> Feel free to ask more questions!
>   .Seth
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721

More information about the Bro mailing list