[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?

Seth Hall seth at icir.org
Mon Sep 16 18:22:15 PDT 2013

On Sep 16, 2013, at 6:06 PM, Vern Paxson <vern at icir.org> wrote:

> I'm struck by how often new users continue to get bitten by needing -C
> due to checksum offloading.  Would it work to provide checksum auto-sensing?
> Something like: if upon reading from an interface the very first packet
> has a checksum error, assume that -C is needed; verify this, though, for
> the next N packets, just to be safe.

Hrm, I'm conflicted this.  I agree that would be a nice approach for my pragmatic side that wants Bro to fight and strive and do the best analysis but my strict side says that I'd like to get people to do the right thing.

I think I'm onboard with this idea.  It would be nice to get fewer people tripping over that as long as we are careful to warn them whenever we're auto-disabling checksum validation.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130916/a456b3a9/attachment.bin 

More information about the bro-dev mailing list