[Bro] Strange Packet (invert ip)

Vern Paxson vern at icir.org
Sun Sep 19 14:24:19 PDT 2004


> 1095628174.157851 IP (tos 0x0, ttl 117, id 62764, offset 0, flags [none], 
> length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok] 
> 3738538976:3738538996(20) a
> ck 1775556062 win 8760
> 
> but bro09a5, event this :
> 
> 1095628174.157850 WeirdActivity 
> bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80

Note, these two have *different* timestamps, which means they refer to
different packets.

		Vern



More information about the Bro mailing list