mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 18:48:20 +00:00
Merge remote-tracking branch 'origin/fastpath'
* origin/fastpath: Script in base for detecting cases of checksum offloading.
This commit is contained in:
Robin Sommer
commit
a6216969e6
5 changed files with 70 additions and 2 deletions
9
CHANGES
9
CHANGES
|
|
@ -1,4 +1,13 @@
|
||||||
|
|
||||||
|
2.1-112 | 2012-11-05 13:58:20 -0800
|
||||||
|
|
||||||
|
* New base script for detecting cases of checksum offloading.
|
||||||
|
Reporter messages will now tell if one has bad checksums. (Seth
|
||||||
|
Hall)
|
||||||
|
|
||||||
|
* Clarifying ownership rules for BroString constructors. (Robin
|
||||||
|
Sommer)
|
||||||
|
|
||||||
2.1-109 | 2012-11-05 13:39:34 -0800
|
2.1-109 | 2012-11-05 13:39:34 -0800
|
||||||
|
|
||||||
* Add detection rate threshold for MHR. (Vlad Grigorescu)
|
* Add detection rate threshold for MHR. (Vlad Grigorescu)
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
2.1-109
|
2.1-112
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
Subproject commit f8fbe4a89732f15c04662c9b20fcaf2c157c9fb7
|
Subproject commit bea556198b69d30d64c0cf1b594e6de71176df6f
|
||||||
|
|
@ -41,3 +41,5 @@
|
||||||
@load base/protocols/ssh
|
@load base/protocols/ssh
|
||||||
@load base/protocols/ssl
|
@load base/protocols/ssl
|
||||||
@load base/protocols/syslog
|
@load base/protocols/syslog
|
||||||
|
|
||||||
|
@load base/misc/find-checksum-offloading
|
||||||
57
scripts/base/misc/find-checksum-offloading.bro
Normal file
57
scripts/base/misc/find-checksum-offloading.bro
Normal file
|
|
@ -0,0 +1,57 @@
|
||||||
|
##! Discover cases where the local interface is sniffed and outbound packets
|
||||||
|
##! have checksum offloading. Load this script to receive a notice if it's
|
||||||
|
##! likely that checksum offload effects are being seen on a live interface or
|
||||||
|
##! in a packet trace file.
|
||||||
|
|
||||||
|
@load base/frameworks/notice
|
||||||
|
|
||||||
|
module ChecksumOffloading;
|
||||||
|
|
||||||
|
export {
|
||||||
|
## The interval which is used for checking packet statistics
|
||||||
|
## to see if checksum offloading is affecting analysis.
|
||||||
|
const check_interval = 10secs &redef;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Keep track of how many bad checksums have been seen.
|
||||||
|
global bad_checksums = 0;
|
||||||
|
|
||||||
|
# Track to see if this script is done so that messages aren't created multiple times.
|
||||||
|
global done = F;
|
||||||
|
|
||||||
|
event ChecksumOffloading::check()
|
||||||
|
{
|
||||||
|
if ( done )
|
||||||
|
return;
|
||||||
|
|
||||||
|
local pkts_recvd = net_stats()$pkts_recvd;
|
||||||
|
if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 )
|
||||||
|
{
|
||||||
|
local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving";
|
||||||
|
local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src);
|
||||||
|
Reporter::warning(message);
|
||||||
|
done = T;
|
||||||
|
}
|
||||||
|
else if ( pkts_recvd < 20 )
|
||||||
|
{
|
||||||
|
# Keep scheduling this event until we've seen some lower threshold of
|
||||||
|
# total packets.
|
||||||
|
schedule check_interval { ChecksumOffloading::check() };
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
event bro_init()
|
||||||
|
{
|
||||||
|
schedule check_interval { ChecksumOffloading::check() };
|
||||||
|
}
|
||||||
|
|
||||||
|
event net_weird(name: string)
|
||||||
|
{
|
||||||
|
if ( name == "bad_IP_checksum" )
|
||||||
|
++bad_checksums;
|
||||||
|
}
|
||||||
|
|
||||||
|
event bro_done()
|
||||||
|
{
|
||||||
|
event ChecksumOffloading::check();
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue