-k option equivalence in suricata.yaml

Hi - I understand the -k option used to analysig stand-alone pcaps. In suricata.yaml I can see the following:


disable checksum validation. Same as setting ‘-k none’ on the


#checksum-validation: none

There’s also a checksum-validation parameter in the stream: section Should this be set to none as well?

2ndly, there is ‘checksum-checks:’ parameter in interfaces section (af-packet, pcap, netmap). Is there any relation to the checksum-validation parameter above?

If this is set to yes packets with invalid checksum values won’t be processed by the engine stream/app layer. So this should be set to no based on the use case.

Yes, checksum-validation needs to be set to yes if you want to set a specific option for this particular interface. So the checksum-checks defines how the checksum checking should be done at this specific interface, so you can enable it global but disable it on some of the used interfaces.

1 Like

Are you sure the value in stream is none and not no?

you’re correct, my bad :slight_smile: (fixed it)

1 Like