[Bro] http_request event
Juan Caballero
juanca at andrew.cmu.edu
Sun Jun 19 20:31:53 PDT 2005
Try to run it using the -C option to ignore checksums
%bro -C -r <file> <script>
The checksum thing could be that your network interface takes care of the computing the checksums, thus pcap 'thinks' they are incorrect (they are fixed later by the NIC). Check %ifconfig -a and if you see something like <RXCSUM,TXCSUM> then that explains it
Regards,
Juan
> Hi Vern, You are right. The machine where Bro is running generated
> BAD_TCP_Checksum packets. This is why I didn't see any tcp traffic sent by
> this machine. Do you think which part causes this checksum problem: IC
> card or system driver? This machine runs Fedora 3. Although it has this
> problem, I have used it for a long time without any trouble. It seems
> Fedora system and Mozilla Firefox browser ignore this checksum problem.
>
> thank you for your help
>
> Bing
>
>
> Quoting Vern Paxson <vern at icir.org>:
>
>> The next step is to record the traffic with tcpdump -w (using a
>> snapshot of -s 0 to capture entire packets) and then run bro against the
>> trace using bro -r trace rather than running it live. If it doesn't log
>> any HTTP session information, look at the trace using tcpdump -v -v to
>> see whether it *contains* any tcpdump traffic, and whether the traffic
>> has valid checksums.
>>
>> Vern
>>
>
>
> _______________________________________________ Bro mailing list
> bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list