[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT) / solved
Frank Meier
franky.meier.1 at gmx.de
Thu Apr 2 00:23:36 PDT 2015
Thanks to all who answered!
The -C switch did the trick. Sometimes warnings should be taken
seriously...
Have a nice day!
Franky
On Mi, Apr 1, 2015 at 5:26 , Siwek, Jon <jsiwek at illinois.edu> wrote:
>
>> ~/bro-liste$ /usr/local/bro/bin/bro -r download.pcap extract.bro
>> 1427874309.892545 warning in
>> /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro,
>> line 54: Your trace file likely has invalid TCP checksums, most
>> likely from NIC checksum offloading.
>
> You’ll have to address this problem to get the results you expect.
> See:
>
> https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
>
>> The weird.log states some “above_hole_data_without_any_acks"
>
> In this case, this seems like it’s just a side effect of the bad
> checksums, but in case you’re interested on how that type of
> situation can effect file extraction in Bro there’s discussion of
> how/why here:
>
> https://bro-tracker.atlassian.net/browse/BIT-1255
>
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150402/6ddb25b5/attachment.html
More information about the Bro
mailing list