[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?
robin at icir.org
Mon Jun 10 07:58:55 PDT 2013
On Sun, Jun 09, 2013 at 19:55 +0000, you wrote:
> with incorrect checksums, you need to use the -C flag. Having to point
> this out got me thinking - should this not be the default behavior?
An argument for enabling the checksum check by default is that if a
checksum is broken, one can't trust the content of the packet anymore,
it could be just garbage, or truncated, and hence cause havoc later at
protocol decoding. However, a counter argument to that is that Bro
should be robust against broken packets anyways, even if the checksum
Current git gives a warning when Bro believes that your packets
generally have incorrect checksums and you should hence use -C. I'm
hoping that will point people into the right direction more quickly.
However, I think I also wouldn't object to changing the default, as it
indeed has become a very common problem these days.
> Bro already logs a weird for incorrect checksums;
But if the input generally doesn't have correct checksums, we also
don't really want all those logged as wierds.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
More information about the bro-dev