athomas at cc.gatech.edu
Fri Jan 3 23:25:00 PST 2003
You could also just watch the variable 'drop' returned by pcap_stats(
) to see if there are drops.
pcap_stats is called by bro in the HeartBeat function, i guess.
This is *assuming* pcap is giving the drops value correctly. I remember,
there was bug on some OSs.
Vern Paxson wrote:
>>However, I am still can't understand why all the status of connection not
>>from/to my host is "S0", which means "no answer", while my host's
>>connections were all right.
>That's very strange, unless in your setup Bro is massively dropping packets.
>So the next thing to do is use Bro's "-w tracefile" option to record the
>packets it's analyzing. Next time you find an S0 FTP session which you're
>sure was successful, extract the corresponding packets from the trace.
>If there are just initial SYNs and nothing else, then Bro was correct, and
>you were mistaken regarding that particular session being successful.
>If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of
>subsequent packets related to the connection, then Bro is dropping packets.
>I can help with this analysis (send me the trace off-line) if needed.
College of Computing
More information about the Bro