[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?
vladg at cmu.edu
Sun Jun 9 12:55:48 PDT 2013
Just wanted to offer this up for discussion:
Someone recently asked me if there were any "gotchas" to trying Bro. The only thing that I could think of is that if you're reading a PCAP with incorrect checksums, you need to use the -C flag. Having to point this out got me thinking - should this not be the default behavior? Bro already logs a weird for incorrect checksums; does it really make sense to have it ignore those packets? Should the option be flipped, to "enable strict checksum verification," or something like that?
More information about the bro-dev