While playing with tcpdump and bro I noticed that all outgoing packets have garbled TCP checksums. The diagnosis was simple: TCP checksum offloading. The real question was how to disable it
After a big of googling I found the magic command:
sysctl -w net.link.ether.inet.apple_hwcksum_tx=0
sysctl -w net.link.ether.inet.apple_hwcksum_rx=0
There’s one catch though. Disabling TCP checksum offloading effectively corrupts TCP checksum on the lo
interface and, as you can well imagine, things stop working. In particular, you will not be able to start any graphical applications anymore… So it looks either playing with the network or working… There’s no free lunch.
At the end the solution with bro turned out to be simpler – you can tell it to ignore checksums with
-C flag as everything works as on my linux box.
BTW: my favourite bro command
bro -C -i en0 conn http-request http-reply [http-headers] [http-body]
writes connection summaries to
conn.log and http-related stuff to
http.log. Depending on the amount of details you need, you can have: only requests, requests plus information about the results (HTTP return code and the size of the result). Additional modules record the browser headers or even the entire page loaded.