[Bro] Artificial SYN-Packets?
rmkml at free.fr
Mon Jun 8 08:35:03 PDT 2009
I you read your last network pcap trace with wireshark, you have
same+multiple first Syn (and WE flags) tcp packet, bro understand
simply tcp retransmit? confirmed by conn.log:
1022404512.136083 ? 188.8.131.52 184.108.40.206 http 59235 80 tcp 361 ? S1 X
and packet number 9 are duplicate, and packets number 10 and 11 are
On Mon, 8 Jun 2009, Lothar Braun wrote:
> Hi Vern,
> Vern Paxson wrote:
>> A bunch of the packets have bad TCP checksums. This is likely the problem -
>> the event engine is discarding them on that account.
> Thank you for the quick reply.
> All the packets have bad checksums, because I padded them with
> tcprewrite and forgot to use the fix checksum option. I therefore used
> bro -C to disable checksum testing when I ran my script (bro actually
> would have discarded these packets without -C). So I don't think this is
> the source of the problem.
> To make sure, I fixed the checksums with tcprewrite (see attached pcap)
> and still get the same problem.
> Best regards,
More information about the Bro