From 28673bd198ae6911cb137be956a7cc421210b98b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 8 Jan 2014 21:47:38 -0500
Subject: [PATCH 1/4] Fix for traffic with TCP segmentation offloading with IP
 header len field being set to zero.

---
 src/Sessions.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/Sessions.cc b/src/Sessions.cc
index acc306d277..dcb3835469 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -384,6 +384,15 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	const struct ip* ip4 = ip_hdr->IP4_Hdr();
 
 	uint32 len = ip_hdr->TotalLen();
+	if ( len == 0 )
+		{
+		// TCP segmentation offloading can zero out the ip_len field.
+		Weird("ip_hdr_len_zero", hdr, pkt, encapsulation);
+	
+		// Cope with the zero'd out ip_len field by using the caplen.
+		len = hdr->caplen - hdr_size;
+		}
+
 	if ( hdr->len < len + hdr_size )
 		{
 		Weird("truncated_IP", hdr, pkt, encapsulation);

From 22f8bb9dd8a189e6a042041e76bca5bcbea0ad7a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 8 Jan 2014 21:50:03 -0500
Subject: [PATCH 2/4] Fix for packet writing to make it use the global
 snaplength.

---
 src/PktSrc.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 9d6bce6fe9..941c4acd83 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -661,7 +661,7 @@ PktDumper::PktDumper(const char* arg_filename, bool arg_append)
 	if ( linktype < 0 )
 		linktype = DLT_EN10MB;
 
-	pd = pcap_open_dead(linktype, 8192);
+	pd = pcap_open_dead(linktype, snaplen);
 	if ( ! pd )
 		{
 		Error("error for pcap_open_dead");

From beea92ce6ceb03c2d81f58635723bc1ec02646b9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 10 Jan 2014 15:06:10 -0600
Subject: [PATCH 3/4] Broxygen init fixes, addresses BIT-1110.

- Don't check mtime of bro binary if BRO_DISABLE_BROXYGEN env var set.

- Fix failure to locate bro binary if invoking from a relative
  path and '.' isn't in PATH.
---
 src/broxygen/Manager.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc
index 405a1019f9..51985a1e5c 100644
--- a/src/broxygen/Manager.cc
+++ b/src/broxygen/Manager.cc
@@ -35,8 +35,12 @@ Manager::Manager(const string& arg_config, const string& bro_command)
 	if ( getenv("BRO_DISABLE_BROXYGEN") )
 		disabled = true;
 
-	const char* path = getenv("PATH");
-	string path_to_bro = path ? find_file(bro_command, path): "";
+	if ( disabled )
+		return;
+
+	const char* env_path = getenv("PATH");
+	string path = env_path ? string(env_path) + ":." : ".";
+	string path_to_bro = find_file(bro_command, path);
 	struct stat s;
 
 	if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 )

From e0082e6bcb7b346b87d9ad02a35dcab0209a351f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 10 Jan 2014 15:17:54 -0600
Subject: [PATCH 4/4] Improve GeoIP City database support.

When trying to open a city database, it now considers both the "REV0"
and "REV1" versions of the city database instead of just the former.
The extra fields of the "REV1" version (metro/area code) aren't yet put
in geo_location records, this change just allows this version of the
city database to be opened w/ same functionality as the other version.
This should be convenient because libGeoIP expects either version to
live at the same file system path, it's hard to tell which version
you've got, and current free GeoLite databases seem to be "REV1".
---
 src/bro.bif | 80 +++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 71 insertions(+), 9 deletions(-)

diff --git a/src/bro.bif b/src/bro.bif
index d789ef9f4e..e772b6eadf 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -3443,9 +3443,59 @@ static GeoIP* open_geoip_db(GeoIPDBTypes type)
 	if ( GeoIP_db_avail(type) )
 		geoip = GeoIP_open_type(type, GEOIP_MEMORY_CACHE);
 
+	return geoip;
+	}
+
+static GeoIP* open_geoip_city_db()
+	{
+	GeoIP* geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0);
+
 	if ( ! geoip )
-		reporter->Info("Failed to open GeoIP database: %s",
-		                  GeoIPDBFileName[type]);
+		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1);
+
+	if ( ! geoip )
+		{
+		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0];
+		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1];
+		string db_path = rev0_path;
+
+		// Maybe in the future the revisions won't share a common default path.
+		if ( rev0_path != rev1_path )
+			db_path = rev0_path + " or " + rev1_path;
+
+		reporter->Info("Failed to open GeoIP City database: %s",
+		               db_path.c_str());
+		}
+
+	return geoip;
+	}
+
+static GeoIP* open_geoip_city_db_v6()
+	{
+	GeoIP* geoip = 0;
+
+	// Both city edition revisions for IPv6 show up in libGeoIP 1.4.7.
+#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
+	geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
+
+	if ( ! geoip )
+		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1_V6);
+
+	if ( ! geoip )
+		{
+		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0_V6];
+		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1_V6];
+		string db_path = rev0_path;
+
+		// Maybe in the future the revisions won't share a common default path.
+		if ( rev0_path != rev1_path )
+			db_path = rev0_path + " or " + rev1_path;
+
+		reporter->Info("Failed to open GeoIP Cityv6 database: %s",
+		               db_path.c_str());
+		}
+#endif
+
 	return geoip;
 	}
 
@@ -3476,31 +3526,41 @@ function lookup_location%(a: addr%) : geo_location
 	if ( ! geoip_initialized )
 		{
 		geoip_initialized = true;
-		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0);
+		geoip = open_geoip_city_db();
 
 		if ( ! geoip )
 			{
 			geoip = open_geoip_db(GEOIP_COUNTRY_EDITION);
+			string db_path = GeoIPDBFileName[GEOIP_COUNTRY_EDITION];
+
 			if ( ! geoip )
-				builtin_error("Can't initialize GeoIP City/Country database");
+				builtin_error(fmt("Failed fall back to GeoIP Country "
+				                  "database: %s",
+				                  GeoIPDBFileName[GEOIP_COUNTRY_EDITION]));
 			else
 				reporter->Info("Fell back to GeoIP Country database");
 			}
 		else
 			have_city_db = true;
 
-#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
-		geoip_v6 = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
+		geoip_v6 = open_geoip_city_db_v6();
+
 		if ( geoip_v6 )
 			have_cityv6_db = true;
-#endif
 
 #ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
 		if ( ! geoip_v6 )
+			{
 			geoip_v6 = open_geoip_db(GEOIP_COUNTRY_EDITION_V6);
+
+			if ( ! geoip_v6 )
+				reporter->Info("Failed to open GeoIPv6 Country database: %s",
+				               GeoIPDBFileName[GEOIP_COUNTRY_EDITION_V6]);
+			}
 #endif
+
 		if ( ! geoip_v6 )
-			builtin_error("Can't initialize GeoIPv6 City/Country database");
+			builtin_error("Can't open GeoIPv6 City/Country database");
 		}
 
 #ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
@@ -3592,8 +3652,10 @@ function lookup_asn%(a: addr%) : count
 		{
 		geoip_asn_initialized = true;
 		geoip_asn = open_geoip_db(GEOIP_ASNUM_EDITION);
+
 		if ( ! geoip_asn )
-			builtin_error("Can't initialize GeoIP ASNUM database");
+			builtin_error(fmt("Can't open GeoIP ASNUM database: %s",
+			                  GeoIPDBFileName[GEOIP_ASNUM_EDITION]));
 		}
 
 	if ( geoip_asn )