[Bro] TCP PUSH flag

Seth Hall seth at icir.org
Thu May 23 06:07:01 PDT 2013


On May 23, 2013, at 5:16 AM, nicolas.retrain at cea.fr wrote:

> I figure it out, it was a bad tcp checksum due to tcpdump (http://sokratisg.net/2012/04/01/udp-tcp-checksum-errors-from-tcpdump-nic-hardware-offloading/). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :)

Were you using the 2.1 release or a build from our git repository?  There is a reporter warning (that now prints to stderr if you're running the bro binary directly) that should indicate if your tracefile has bad checksums.  I've been caught by that problem quite a few times myself before realizing that I had bad checksums.

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/80fbe9ea/attachment.bin 


More information about the Bro mailing list