[Bro] Connection summaries question
christian at whoop.org
Thu Oct 14 06:33:08 PDT 2004
are the following observations correct:
- When Bro encounters a flow mid-stream and that flow gets shut down
normally in the end, I see "SF" in connection summaries.
- Also, it appears that when one port is well-known and the other is
ephemeral, Bro assumes that the connection was established from the
ephemeral to the well-known one.
This is based on the following tiny trace:
I'm asking because I'm selecting flows from a trace based on this output
and the semantics matter. Intuitively I would have assumed that SF is
only printed for flows seen in their entirety. OTH, however, seems to
stand for just mid-stream data with neither handshake nor teardown seen,
and there doesn't seem to be a symbol for flows seen from mid-stream to
More information about the Bro