Just wanted to offer this up for discussion: Someone recently asked me if there were any "gotchas" to trying Bro. The only thing that I could think of is that if you're reading a PCAP with incorrect checksums, you need to use the -C flag. Having to point this out got me thinking - should this not be the default behavior? Bro already logs a weird for incorrect checksums; does it really make sense to have it ignore those packets? Should the option be flipped, to "enable strict checksum verification," or something like that?
--Vlad _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
