[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?

Robin Sommer robin at icir.org
Mon Jun 10 07:58:55 PDT 2013

On Sun, Jun 09, 2013 at 19:55 +0000, you wrote:

> with incorrect checksums, you need to use the -C flag. Having to point
> this out got me thinking - should this not be the default behavior?

An argument for enabling the checksum check by default is that if a
checksum is broken, one can't trust the content of the packet anymore,
it could be just garbage, or truncated, and hence cause havoc later at
protocol decoding. However, a counter argument to that is that Bro
should be robust against broken packets anyways, even if the checksum
is correct.

Current git gives a warning when Bro believes that your packets
generally have incorrect checksums and you should hence use -C. I'm
hoping that will point people into the right direction more quickly.

However, I think I also wouldn't object to changing the default, as it
indeed has become a very common problem these days.

> Bro already logs a weird for incorrect checksums;

But if the input generally doesn't have correct checksums, we also
don't really want all those logged as wierds.


Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin

More information about the bro-dev mailing list