From 3c27267223bbd3f6c9910ef20acb9ce0e42cfacb Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 13 Dec 2012 11:09:41 -0500 Subject: [PATCH] Improvements for the "bad checksums" detector to make it detect bad TCP checksums. --- .../base/misc/find-checksum-offloading.bro | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro index a0a2c692b7..f371628c33 100644 --- a/scripts/base/misc/find-checksum-offloading.bro +++ b/scripts/base/misc/find-checksum-offloading.bro @@ -14,7 +14,8 @@ export { } # Keep track of how many bad checksums have been seen. -global bad_checksums = 0; +global bad_ip_checksums = 0; +global bad_tcp_checksums = 0; # Track to see if this script is done so that messages aren't created multiple times. global done = F; @@ -25,10 +26,19 @@ event ChecksumOffloading::check() return; local pkts_recvd = net_stats()$pkts_recvd; - if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 ) + local bad_ip_checksum_pct = bad_ip_checksums*1.0 / net_stats()$pkts_recvd*1.0; + local bad_tcp_checksum_pct = bad_tcp_checksums*1.0 / net_stats()$pkts_recvd*1.0; + if ( bad_ip_checksum_pct > 0.05 || bad_tcp_checksum_pct > 0.05 ) { local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving"; - local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src); + local bad_checksum_msg = bad_ip_checksum_pct > 0.0 ? "IP" : ""; + if ( bad_tcp_checksum_pct > 0.0 ) + { + if ( |bad_checksum_msg| > 0 ) + bad_checksum_msg += " and "; + bad_checksum_msg += "TCP"; + } + local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.", packet_src, bad_checksum_msg); Reporter::warning(message); done = T; } @@ -48,7 +58,13 @@ event bro_init() event net_weird(name: string) { if ( name == "bad_IP_checksum" ) - ++bad_checksums; + ++bad_ip_checksums; + } + +event conn_weird(name: string, c: connection, addl: string) + { + if ( name == "bad_TCP_checksum" ) + ++bad_tcp_checksums; } event bro_done()