[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)

Siwek, Jon jsiwek at illinois.edu
Wed Apr 1 08:26:22 PDT 2015


> ~/bro-liste$ /usr/local/bro/bin/bro -r download.pcap extract.bro 
> 1427874309.892545 warning in /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid TCP checksums, most likely from NIC checksum offloading.

You’ll have to address this problem to get the results you expect.  See:

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

> The weird.log states some “above_hole_data_without_any_acks"

In this case, this seems like it’s just a side effect of the bad checksums, but in case you’re interested on how that type of situation can effect file extraction in Bro there’s discussion of how/why here:

https://bro-tracker.atlassian.net/browse/BIT-1255

- Jon



More information about the Bro mailing list