Merge remote-tracking branch 'origin/fastpath'

* origin/fastpath: Script in base for detecting cases of checksum offloading.
2025-10-10 10:38:20 +00:00 · 2012-11-05 13:58:20 -08:00 · 2012-11-05 13:58:20 -08:00 · a6216969e6
commit a6216969e6
parent c39215bf5d e020e034ae
5 changed files with 70 additions and 2 deletions
--- a/9
+++ b/9
@ -1,4 +1,13 @@

+2.1-112 | 2012-11-05 13:58:20 -0800
+
+  * New base script for detecting cases of checksum offloading. 
+    Reporter messages will now tell if one has bad checksums. (Seth
+    Hall)
+
+  * Clarifying ownership rules for BroString constructors. (Robin
+    Sommer)
+
 2.1-109 | 2012-11-05 13:39:34 -0800

  * Add detection rate threshold for MHR. (Vlad Grigorescu)
--- a/2
+++ b/2
@ -1 +1 @@
-2.1-109
+2.1-112
--- a/aux/bro-aux
+++ b/aux/bro-aux
@ -1 +1 @@
-Subproject commit f8fbe4a89732f15c04662c9b20fcaf2c157c9fb7
+Subproject commit bea556198b69d30d64c0cf1b594e6de71176df6f
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -41,3 +41,5 @@
@load base/protocols/ssh
@load base/protocols/ssl
@load base/protocols/syslog
+
+@load base/misc/find-checksum-offloading
--- a/scripts/base/misc/find-checksum-offloading.bro
+++ b/scripts/base/misc/find-checksum-offloading.bro
@ -0,0 +1,57 @@
+##! Discover cases where the local interface is sniffed and outbound packets
+##! have checksum offloading.  Load this script to receive a notice if it's
+##! likely that checksum offload effects are being seen on a live interface or
+##! in a packet trace file.
+
+@load base/frameworks/notice
+
+module ChecksumOffloading;
+
+export {
+	## The interval which is used for checking packet statistics
+	## to see if checksum offloading is affecting analysis.
+	const check_interval = 10secs &redef;
+}
+
+# Keep track of how many bad checksums have been seen.
+global bad_checksums = 0;
+
+# Track to see if this script is done so that messages aren't created multiple times.
+global done = F;
+
+event ChecksumOffloading::check()
+	{
+	if ( done )
+		return;
+
+	local pkts_recvd = net_stats()$pkts_recvd;
+	if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 )
+		{
+		local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving";
+		local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src);
+		Reporter::warning(message);
+		done = T;
+		}
+	else if ( pkts_recvd < 20 )
+		{
+		# Keep scheduling this event until we've seen some lower threshold of
+		# total packets.
+		schedule check_interval { ChecksumOffloading::check() };
+		}
+	}
+
+event bro_init()
+	{
+	schedule check_interval { ChecksumOffloading::check() };
+	}
+
+event net_weird(name: string)
+	{
+	if ( name == "bad_IP_checksum" )
+		++bad_checksums;
+	}
+
+event bro_done()
+	{
+	event ChecksumOffloading::check();
+	}
 @ -1 +1 @@
 .1-109
 .1-112