Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-01 22:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add documentation for GH-1829

Browse source 
This adds documentation that clarifies that the `ignore_checksums`
option now also allows IPv4 packets with a length of 0.
This commit is contained in:
Johanna Amann 2021-11-16 13:51:29 +00:00
parent a011b4cb70
commit 14f919895d
3 changed files with 18 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
NEWS
View file

@ -53,6 +53,13 @@ Changed Functionality
- The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr) - The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr)
when available. when available.
- The ``ignore_checksums`` options and the ``-C`` command-line option now additionally cause
Zeek to accept IPv4 packets that provide a length of zero in the total-length IPv4 header
field. When the length is set to zero, the capture length of the packet is used instead.
This can be used to replay traces, or analyze traffic when TCP sequence offloading is enabled
on the local NIC - which typically causes the total-length of affected packets to be set to
zero.
Removed Functionality Removed Functionality
--------------------- ---------------------

2
man/zeek.8
View file

@ -66,7 +66,7 @@ print version and exit
print contents of state file print contents of state file
.TP .TP
\fB\-C\fR,\ \-\-no\-checksums \fB\-C\fR,\ \-\-no\-checksums
ignore checksums When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC.
.TP .TP
\fB\-F\fR,\ \-\-force\-dns \fB\-F\fR,\ \-\-force\-dns
force DNS force DNS

13
scripts/base/init-bare.zeek
View file

@ -1016,9 +1016,16 @@ const TCP_RESET = 6; ##< Endpoint has sent RST.
const UDP_INACTIVE = 0; ##< Endpoint is still inactive. const UDP_INACTIVE = 0; ##< Endpoint is still inactive.
const UDP_ACTIVE = 1; ##< Endpoint has sent something. const UDP_ACTIVE = 1; ##< Endpoint has sent something.
## If true, don't verify checksums. Useful for running on altered trace ## If true, don't verify checksums, and accept packets that give a length of
## files, and for saving a few cycles, but at the risk of analyzing invalid ## zero in the IPv4 header. This is useful when running against traces of local
## data. Note that the ``-C`` command-line option overrides the setting of this ## traffic and the NIC checksum offloading feature is enabled. It can also
## be useful for running on altered trace files, and for saving a few cycles
## at the risk of analyzing invalid data.
## With this option, packets that have a value of zero in the total-length field
## of the IPv4 header are also accepted, and the capture-length is used instead.
## The total-length field is commonly set to zero when the NIC sequence offloading
## feature is enabled.
## Note that the ``-C`` command-line option overrides the setting of this
## variable. ## variable.
const ignore_checksums = F &redef; const ignore_checksums = F &redef;