[Bro] HTTP not being seen

James Lay jlay at slave-tothe-box.net
Mon Sep 16 05:26:46 PDT 2013

On Sep 15, 2013, at 7:50 PM, Seth Hall <seth at icir.org> wrote:

> On Sep 14, 2013, at 5:04 AM, Keith Butler <kebutler at gmail.com> wrote:
>> Option 1 would probably entail:
>> If you are using broctl, in your broctl.cfg file add the line (then install and restart in broctl)?
>> broargs = --no-checksums
> I want to chime in here quickly.  Generally if you are running in BroControl it means that you are sniffing live traffic and probably in an environment where you want things to run correctly in which case you would *never* want to configure this option.  If packet have bad checksums, they generally should be dropped.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

I completely agree.  In my case however, I believe it's a "feature" of PPPoE…those same packets captured on the physical eth1 NIC are flawless with zero issues.  I tried having Bro listen to eth1, but I don't think it plays with the PPPoE.  Thanks for the input Seth.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130916/d01734ce/attachment.bin 

More information about the Bro mailing list