[Bro] http_request event

Sun Jun 19 20:29:27 PDT 2005

>    You are right. The machine where Bro is running generated BAD_TCP_Checksum
> packets. This is why I didn't see any tcp traffic sent by this machine. Do you
> think which part causes this checksum problem: IC card or system driver?

When we've seen this before, it was because the NIC offloading checksumming,
so packets capture by the packet filter didn't have their checksums filled in.
This was revealed via ifconfig, along the lines of:

    1 % ifconfig em0
    em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=3<RXCSUM,TXCSUM>
            inet 131.243.X.Y netmask 0xffffff00 broadcast 131.243.X.255
            ether 00:01:02:03:04:05
            media: Ethernet autoselect (1000baseTX <full-duplex>)
            status: active

If so, trying running bro with -C (ignore checksums).

		Vern