[Bro] modifying bro.init

Seth Hall hall.692 at osu.edu
Thu Feb 4 07:00:43 PST 2010


On Feb 4, 2010, at 1:14 AM, Vern Paxson wrote:

> These comments confuse me.  If a packet has an IP checksum error,  
> then the
> DNS parser shouldn't even analyze the packet.  However, turning on
> ignore_checksum=T will cause it to analyze the bad packet, so if  
> anything
> it should give trouble rather than reduce trouble.


I left off the rest of my explanation for that statement. :)  It seems  
like almost everyone eventually runs Bro against a tracefile that was  
captured on a NIC doing checksum offloading.

I know it happened to me and I had to find out how to ignore checksum  
errors.  I think I found out about how to disable checksum checks from  
a post you made on the mailing list several years ago. ;)

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721




More information about the Bro mailing list