[Bro] Artificial SYN-Packets?

rmkml rmkml at free.fr
Mon Jun 8 08:35:03 PDT 2009

Hi Lothar,
I you read your last network pcap trace with wireshark, you have 
same+multiple first Syn (and WE flags) tcp packet, bro understand 
simply tcp retransmit? confirmed by conn.log:
  1022404512.136083 ? http 59235 80 tcp 361 ? S1 X
and packet number 9 are duplicate, and packets number 10 and 11 are 

On Mon, 8 Jun 2009, Lothar Braun wrote:

> Hi Vern,
> Vern Paxson wrote:
>> A bunch of the packets have bad TCP checksums.  This is likely the problem -
>> the event engine is discarding them on that account.
> Thank you for the quick reply.
> All the packets have bad checksums, because I padded them with
> tcprewrite and forgot to use the fix checksum option. I therefore used
> bro -C to disable checksum testing when I ran my script (bro actually
> would have discarded these packets without -C). So I don't think this is
> the source of the problem.
> To make sure, I fixed the checksums with tcprewrite (see attached pcap)
> and still get the same problem.
> Best regards,
>  Lothar

More information about the Bro mailing list