On Sun, Jun 09, 2013 at 19:55 +0000, you wrote:
> with incorrect checksums, you need to use the -C flag. Having to point > this out got me thinking - should this not be the default behavior? An argument for enabling the checksum check by default is that if a checksum is broken, one can't trust the content of the packet anymore, it could be just garbage, or truncated, and hence cause havoc later at protocol decoding. However, a counter argument to that is that Bro should be robust against broken packets anyways, even if the checksum is correct. Current git gives a warning when Bro believes that your packets generally have incorrect checksums and you should hence use -C. I'm hoping that will point people into the right direction more quickly. However, I think I also wouldn't object to changing the default, as it indeed has become a very common problem these days. > Bro already logs a weird for incorrect checksums; But if the input generally doesn't have correct checksums, we also don't really want all those logged as wierds. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * [email protected] ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
