[Bro] Artificial SYN-Packets?

Lothar Braun lothar at lobraun.de
Mon Jun 8 07:49:31 PDT 2009


Hi Vern,

Vern Paxson wrote:
> A bunch of the packets have bad TCP checksums.  This is likely the problem -
> the event engine is discarding them on that account.

Thank you for the quick reply.

All the packets have bad checksums, because I padded them with
tcprewrite and forgot to use the fix checksum option. I therefore used
bro -C to disable checksum testing when I ran my script (bro actually
would have discarded these packets without -C). So I don't think this is
the source of the problem.

To make sure, I fixed the checksums with tcprewrite (see attached pcap)
and still get the same problem.

Best regards,
  Lothar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example-fixed.pcap
Type: application/octet-stream
Size: 2057 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090608/f62a9f19/attachment.obj 


More information about the Bro mailing list