From e020e034ae4ebabf3c84f6ca8ea9cf538197ca1c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 1 Nov 2012 00:16:28 -0400 Subject: [PATCH] Script in base for detecting cases of checksum offloading. - I added this to the base scripts because it's very minimal overhead and we get questions about this all the time. Now that reporter messages are printed to the console, people will see the message clearly if they have bad checksums. --- scripts/base/init-default.bro | 2 + .../base/misc/find-checksum-offloading.bro | 57 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 scripts/base/misc/find-checksum-offloading.bro diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 91011738d1..566a59808a 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -41,3 +41,5 @@ @load base/protocols/ssh @load base/protocols/ssl @load base/protocols/syslog + +@load base/misc/find-checksum-offloading \ No newline at end of file diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro new file mode 100644 index 0000000000..25ae30eea7 --- /dev/null +++ b/scripts/base/misc/find-checksum-offloading.bro @@ -0,0 +1,57 @@ +##! Discover cases where the local interface was sniffed and outbound packets +##! had checksum offloading. Load this script to receive a notice if it's +##! likely that checksum offload effects are being seen on a live interface or +##! in a packet trace file. + +@load base/frameworks/notice + +module ChecksumOffloading; + +export { + ## The interval which is used for checking packet statistics + ## to see if checksum offloading is affecting analysis. + const check_interval = 10secs &redef; +} + +# Keep track of how many bad checksums have been seen. +global bad_checksums = 0; +# Track to see if this script is done so that messages aren't created multiple times. +global done = F; + + +event ChecksumOffloading::check() + { + if ( done ) + return; + + local pkts_recvd = net_stats()$pkts_recvd; + if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 ) + { + local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving"; + local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src); + Reporter::warning(message); + done = T; + } + else if ( pkts_recvd < 20 ) + { + # Keep scheduling this event until we've seen some lower threshold of + # total packets. + schedule check_interval { ChecksumOffloading::check() }; + } + } + +event bro_init() + { + schedule check_interval { ChecksumOffloading::check() }; + } + +event net_weird(name: string) + { + if ( name == "bad_IP_checksum" ) + ++bad_checksums; + } + +event bro_done() + { + event ChecksumOffloading::check(); + } \ No newline at end of file