[Bro] Fragmentation and TCP overlapping Issues
estrada.veronica at gmail.com
Mon Dec 6 06:04:18 PST 2010
Thank you very much! This information helps me a lot.
Regarding fragmentation (question 1), I am running bro with this command:
bro $files todai-nets -f "tcp or udp or icmp" dpd_conn_logs=T dpd
detect-protocols dyn-disable detect-protocols-http proxy ssh irc-bot brolite
The variable $files contains 300 consecutive captured files (pcap) of 4 Gb
each. In this experiment I am not getting any "fragment" event.
On the contrary, fragmentation events appeared when bro was run using a
subset of the aforementioned files. I don't have a record about the Bro
parameters set for this case. Basically the difference here is how the input
data to Bro was previously processed. In this case, we aggregated these
small pcap files in bigger ones (80Gb). Every 20 files we applied ipsumdump
to generate a bigger pcap file and feed Bro system so now, Bro triggers this
events: excessively_small_fragment, fragment_inconsistency,
fragment_overlap, fragment_size_inconsistency, fragment_with_DF
What would be the reason for not getting these fragment events in the first
Regarding the other questions about overlapping, I am preparing an e-mail
with detail of the traces with problems. I cannot publish this on the list.
Thank you again,
On Mon, Dec 6, 2010 at 2:38 PM, Vern Paxson <vern at icir.org> wrote:
> > 1. Although I am loading "frag", I am not receiving any event related
> > fragmentation.
> > What could be wrong? libpcap library? my BRO version?
> As usual, it helps a great deal if you include a trace and the command
> line you're using.
> One possibility is that you're trying to analyze UDP fragments, since the
> filter included by frag.bro only analyzes TCP fragments (to avoid heavy
> load from NFS traffic; this is vestigial, and makes sense to remove).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro