[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?
seth at icir.org
Mon Sep 16 18:22:15 PDT 2013
On Sep 16, 2013, at 6:06 PM, Vern Paxson <vern at icir.org> wrote:
> I'm struck by how often new users continue to get bitten by needing -C
> due to checksum offloading. Would it work to provide checksum auto-sensing?
> Something like: if upon reading from an interface the very first packet
> has a checksum error, assume that -C is needed; verify this, though, for
> the next N packets, just to be safe.
Hrm, I'm conflicted this. I agree that would be a nice approach for my pragmatic side that wants Bro to fight and strive and do the best analysis but my strict side says that I'd like to get people to do the right thing.
I think I'm onboard with this idea. It would be nice to get fewer people tripping over that as long as we are careful to warn them whenever we're auto-disabling checksum validation.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130916/a456b3a9/attachment.bin
More information about the bro-dev