[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?
vern at icir.org
Mon Sep 16 15:06:45 PDT 2013
[reviving an old thread]
> > I think we should keep the default with strict checksum checking, especially now that we have the new script that tells users if they seem to have invalid checksums. I would rather push people down the right path as much as possible.
> My thoughts too.
I'm struck by how often new users continue to get bitten by needing -C
due to checksum offloading. Would it work to provide checksum auto-sensing?
Something like: if upon reading from an interface the very first packet
has a checksum error, assume that -C is needed; verify this, though, for
the next N packets, just to be safe.
More information about the bro-dev