[Bro] bad_tcp_checksum
Yohann THOMAS
yohann.thomas at rd.francetelecom.com
Mon Jan 17 10:05:12 PST 2005
Here are the last results of my investigation ;-) :
-I confirm the bad tcp checksums when capturing with tcpdump, and I
confirm that there is no bad tcp checksum with the computer on which Bro
works correctly (using in both cases libpcap-0.8.3-5, which is the same
as Bro),
-Bro works offline for all the tested computers with a correct dump,
-Considering It "could" be due to the ethernet controller (strange,
but...), I tried another one. In fact, my old computer had a PCnet32, so
I tried this one on the other computer.
Result : it works !!! So, it first seems to confirm the problem isn't
due to a conflict between software versions.
Hum...In fact, I remember that I had Bro work very well with 3Com and
Realtek chips, and also Intel e100...
...and suddenly, I come to the fact that the 2 computers on which I have
bad tcp checksums have gigabit ethernet controllers...
Note that one is really used in a gigabit network, but the other one is
on a 100Mbps network, so it is automatically restricted at 100Mbps.
So, my question is : Can the problem be due to the gigabit interfaces
(even if one is used at a 100Mbps speed) ??? (Initialization problem ???
...)
Yohann.
Christian Kreibich wrote:
>Hi Yohann,
>
>it looks like we should make sure it is actually a Bro problem first.
>When you run tcpdump on the link with -vvv and capturing entire packets,
>do you also see bad checksum warnings? Try to make sure the tcpdump is
>using the same libpcap as Bro before trying.
>
>Cheers,
>Christian.
>
>On Mon, 2005-01-17 at 08:33 +0100, Yohann THOMAS wrote:
>
>
>>Hi everybody,
>>
>>I've been using Bro on my computer on different purposes for a few
>>months and till now, it always worked well ;-)
>>Unfortunately, I'm experiencing a problem for a few days.
>>
>>In fact, when running Bro (with http.bro script) on some other
>>computers, I have series of "bad_tcp_checksum" (with Linux) or
>>"bad_ip_checksum" (with FreeBSD), and only a few packets seems to be
>>read correctly.
>>
>>To sum up, here is the current situation :
>>
>>->Bro still works on my computer (Linux Debian, Kernel 2.4.26 - Bro 0.8a87)
>>
>>->I have "bad_tcp_checksum" or "bad_ip_checksum" in these (tested) cases
>>(on 3 other computers) :
>>
>> 1.Bro 0.8a87, 0.8a88, 0.9a7 on Linux Debian Kernel 2.6.8 and 2.4.26,
>> installed with the same mirrors (same versions of libpcap in particular)
>>
>> 2.Bro 0.8a37 (package) on FreeBSD 5.3
>>
>>(Experiments were done on an operational network, but also directly
>>between two computers with a crossover cable)
>>
>>If it can be of interest (I don't really know why, but...), my computer
>>has an
>>AMD PCnet32 ethernet controller. Bad checksums where obtained with Intel
>>and
>>Broadcom controllers.
>>
>>Hum... Any ideas are welcome... ;-)
>>
>>Thanks by advance,
>>
>>Yohann.
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050117/2dcba508/attachment.html
More information about the Bro
mailing list