From 14f919895de00ad1c5ae686f39709874f31e2ce3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 16 Nov 2021 13:51:29 +0000 Subject: [PATCH] Add documentation for GH-1829 This adds documentation that clarifies that the `ignore_checksums` option now also allows IPv4 packets with a length of 0. --- NEWS | 7 +++++++ man/zeek.8 | 2 +- scripts/base/init-bare.zeek | 13 ++++++++++--- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 2ece09bee0..836a19189a 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,13 @@ Changed Functionality - The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr) when available. +- The ``ignore_checksums`` options and the ``-C`` command-line option now additionally cause + Zeek to accept IPv4 packets that provide a length of zero in the total-length IPv4 header + field. When the length is set to zero, the capture length of the packet is used instead. + This can be used to replay traces, or analyze traffic when TCP sequence offloading is enabled + on the local NIC - which typically causes the total-length of affected packets to be set to + zero. + Removed Functionality --------------------- diff --git a/man/zeek.8 b/man/zeek.8 index 1a667f5630..7b6e046ed6 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -66,7 +66,7 @@ print version and exit print contents of state file .TP \fB\-C\fR,\ \-\-no\-checksums -ignore checksums +When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC. .TP \fB\-F\fR,\ \-\-force\-dns force DNS diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index a4d4e1ae17..3ab33fb8eb 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1016,9 +1016,16 @@ const TCP_RESET = 6; ##< Endpoint has sent RST. const UDP_INACTIVE = 0; ##< Endpoint is still inactive. const UDP_ACTIVE = 1; ##< Endpoint has sent something. -## If true, don't verify checksums. Useful for running on altered trace -## files, and for saving a few cycles, but at the risk of analyzing invalid -## data. Note that the ``-C`` command-line option overrides the setting of this +## If true, don't verify checksums, and accept packets that give a length of +## zero in the IPv4 header. This is useful when running against traces of local +## traffic and the NIC checksum offloading feature is enabled. It can also +## be useful for running on altered trace files, and for saving a few cycles +## at the risk of analyzing invalid data. +## With this option, packets that have a value of zero in the total-length field +## of the IPv4 header are also accepted, and the capture-length is used instead. +## The total-length field is commonly set to zero when the NIC sequence offloading +## feature is enabled. +## Note that the ``-C`` command-line option overrides the setting of this ## variable. const ignore_checksums = F &redef;