[Bro-Dev] buglet in FTP processing for 1.E7Vo2Cjyt39.pcap in slice 9
Seth Hall
seth at icir.org
Wed Nov 30 20:16:43 PST 2011
On Nov 30, 2011, at 7:10 PM, Vern Paxson wrote:
> 150 Binary transfer started (7k).
Oops, I haven't seen FTP servers do that before. I'll fix it.
> I'm not sure whether these are worth worrying about, though. Presumably
> if the accompanying ftp-data connections were also in the trace, the
> sizes would come from those (?).
I don't think the ftp base scripts pull data from that currently. That would make sense though. :) One problem with it is that in cluster deployments it's very common for the data connections to not be analyzed appropriately (it only works if 2-tuple load balancing is taking place).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list