[Bro] Artificial SYN-Packets?

rmkml rmkml at free.fr
Mon Jun 8 08:35:03 PDT 2009


Hi Lothar,
I you read your last network pcap trace with wireshark, you have 
same+multiple first Syn (and WE flags) tcp packet, bro understand 
simply tcp retransmit? confirmed by conn.log:
  1022404512.136083 ? 194.44.56.35 139.103.147.106 http 59235 80 tcp 361 ? S1 X
and packet number 9 are duplicate, and packets number 10 and 11 are 
retransmit.
Regards
Rmkml
Crusoe-Researches.com


On Mon, 8 Jun 2009, Lothar Braun wrote:

> Hi Vern,
>
> Vern Paxson wrote:
>> A bunch of the packets have bad TCP checksums.  This is likely the problem -
>> the event engine is discarding them on that account.
>
> Thank you for the quick reply.
>
> All the packets have bad checksums, because I padded them with
> tcprewrite and forgot to use the fix checksum option. I therefore used
> bro -C to disable checksum testing when I ran my script (bro actually
> would have discarded these packets without -C). So I don't think this is
> the source of the problem.
>
> To make sure, I fixed the checksums with tcprewrite (see attached pcap)
> and still get the same problem.
>
> Best regards,
>  Lothar
>



More information about the Bro mailing list