[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
Siwek, Jon
jsiwek at illinois.edu
Wed Apr 1 08:26:22 PDT 2015
> ~/bro-liste$ /usr/local/bro/bin/bro -r download.pcap extract.bro
> 1427874309.892545 warning in /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid TCP checksums, most likely from NIC checksum offloading.
You’ll have to address this problem to get the results you expect. See:
https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
> The weird.log states some “above_hole_data_without_any_acks"
In this case, this seems like it’s just a side effect of the bad checksums, but in case you’re interested on how that type of situation can effect file extraction in Bro there’s discussion of how/why here:
https://bro-tracker.atlassian.net/browse/BIT-1255
- Jon
More information about the Bro
mailing list