Re: Sebek/snort dropping characters - temp fix

[Edward Balas <ebalas () iu edu>]

On Sat, 16 Aug 2003, Tom Jacobsen wrote:

> Hi All,
>
> I'm just finishing up my Gen II and ran into a problem.  I wasn't capturing 
> all the keystrokes from my honeypot with sebek-2.0.1.  I'd capture some, 
> but not all.  After a little investigation, it turned out that some of the 
> UDP packets had bad checksums and so snort was not logging them.  The quick 
> fix was to use snort's command line option"-k none" to disable 
> checksums.  Guess I could just set it to "-k noudp" since it's really on 
> UDP traffic.  In any event I'll take a look at the sebek code to see if I 
> can figure out the problem, but thought I would post it here in case anyone 
> else noticed they're captures were corrupt or garbled.

Yeah, its not a problem per se. It is not technically required to perform 
a UDP checksum if I recall, so I am not doing it.  I am doing the IP 
checksum.   The motivation or lack there of, was that it was one of not 
wanting to do it if I didnt need to as, one less function call meant a 
higher performance kernel mod.

If folks desire, I can add code.

Edward


> Later,
> Tom