vern at icir.org
Fri Jan 3 23:18:04 PST 2003
> However, I am still can't understand why all the status of connection not
> from/to my host is "S0", which means "no answer", while my host's
> connections were all right.
That's very strange, unless in your setup Bro is massively dropping packets.
So the next thing to do is use Bro's "-w tracefile" option to record the
packets it's analyzing. Next time you find an S0 FTP session which you're
sure was successful, extract the corresponding packets from the trace.
If there are just initial SYNs and nothing else, then Bro was correct, and
you were mistaken regarding that particular session being successful.
If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of
subsequent packets related to the connection, then Bro is dropping packets.
I can help with this analysis (send me the trace off-line) if needed.
More information about the Bro