[Bro] Artificial SYN-Packets?

Lothar Braun lothar at lobraun.de
Mon Jun 8 07:01:37 PDT 2009

Hi all,

I wrote a bro script that works on the flags in the TCP header and on
the identifier field in IP header. While some TCP connections can be
processed without any problems, others seem to produce strange results
with my script.

The attached pcap file (example.pcap) contains a problematic connection.
As you can see this starts with four SYN-Packets (probably due to
retransmits) which also have ECN and CWR set. The identifier field of
this packets is set a custom 0x3fff.

If you run bro-1.4 with the attached script (test.bro), which prints the
id-field and the flags, you will get this output:

$ bin/bro -C -r example.pcap test.bro
0 2
16383 210
16383 208
16383 216
16383 210
16383 208
16383 216
8191 216

As you can see only one SYN-Packet has been passed to new_packet() in
the script. And this packet does neither transport the correct id nor
the correct flags. I think this problem only occurs when the first SYN
packet has been retransmitted.

My questions:

1.) Is it the desired behavior to only pass one SYN-Packet to
new_packet() instead of all SYN-Packets? In my opinion it might be a
good idea to get all packets, that have been transmitted (or observed).

2.) Is it desired behavior that the passed SYN-packet does not contain
all the information that have been in the original packet?

3.) Can I tune bro to give me the original packet?

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.pcap
Type: application/octet-stream
Size: 2057 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090608/61af7d00/attachment.obj 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.bro
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090608/61af7d00/attachment.ksh 

More information about the Bro mailing list