[Bro] bad_tcp_checksum
Christian Kreibich
christian at whoop.org
Mon Jan 17 08:15:59 PST 2005
Hi Yohann,
it looks like we should make sure it is actually a Bro problem first.
When you run tcpdump on the link with -vvv and capturing entire packets,
do you also see bad checksum warnings? Try to make sure the tcpdump is
using the same libpcap as Bro before trying.
Cheers,
Christian.
On Mon, 2005-01-17 at 08:33 +0100, Yohann THOMAS wrote:
> Hi everybody,
>
> I've been using Bro on my computer on different purposes for a few
> months and till now, it always worked well ;-)
> Unfortunately, I'm experiencing a problem for a few days.
>
> In fact, when running Bro (with http.bro script) on some other
> computers, I have series of "bad_tcp_checksum" (with Linux) or
> "bad_ip_checksum" (with FreeBSD), and only a few packets seems to be
> read correctly.
>
> To sum up, here is the current situation :
>
> ->Bro still works on my computer (Linux Debian, Kernel 2.4.26 - Bro 0.8a87)
>
> ->I have "bad_tcp_checksum" or "bad_ip_checksum" in these (tested) cases
> (on 3 other computers) :
>
> 1.Bro 0.8a87, 0.8a88, 0.9a7 on Linux Debian Kernel 2.6.8 and 2.4.26,
> installed with the same mirrors (same versions of libpcap in particular)
>
> 2.Bro 0.8a37 (package) on FreeBSD 5.3
>
> (Experiments were done on an operational network, but also directly
> between two computers with a crossover cable)
>
> If it can be of interest (I don't really know why, but...), my computer
> has an
> AMD PCnet32 ethernet controller. Bad checksums where obtained with Intel
> and
> Broadcom controllers.
>
> Hum... Any ideas are welcome... ;-)
>
> Thanks by advance,
>
> Yohann.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list