[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?

Vern Paxson vern at icir.org
Mon Sep 16 15:06:45 PDT 2013

[reviving an old thread]

> > I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums.  I would rather push people down the right path as much as possible.
> My thoughts too.

I'm struck by how often new users continue to get bitten by needing -C
due to checksum offloading.  Would it work to provide checksum auto-sensing?
Something like: if upon reading from an interface the very first packet
has a checksum error, assume that -C is needed; verify this, though, for
the next N packets, just to be safe.


More information about the bro-dev mailing list