[Bro] TCP Packets not getting logged

Bindiya V S bindiyavs at tataelxsi.co.in
Wed Nov 29 06:25:35 PST 2006


  I tried running some SSL PCAP(packet capture) files (using tcpreplay on the primary interface) with bro running on the system. Some of the TCP connections in the PCAP are not having the connection closing handshakes (FIN and ACK). When I try re-running the same PCAP in short intervals (running tcpreplays multiple times on the same PCAP), the packets coming on the connection which didnt have  FIN and ACK earlier are not getting logged. The other packets which had their connections neatly closed are getting loggged fine.
   I am working on ver 0.9 currently, but the same thing is happening on 1.1 release.
   I assumed that conn->IsReuse() in Sessions.cc will return true for these kind of packets. But that is not happening.
   Can some one help me out?

Thanks in Advance
Bindiya :)

More information about the Bro mailing list