[Bro] Load Balancers

Justin Azoff JAzoff at uamail.albany.edu
Sat Feb 6 10:51:03 PST 2010

On Sat, Feb 06, 2010 at 01:12:36PM -0500, Bill Jones wrote:
> That's what I'm finding strange.  After running a tcpdump capture on
> the interface and analyzing it with Wireshark, I do not see any 3-way
> handshakes for this particular web application.  For any HTTP GET that
> I see in Wireshark that pertains to this application, when I "Follow
> TCP Stream", the first entry in Wireshark is always the GET message
> itself.  For all other applications on the network, doing the above
> results in the first entry being the SYN.

Just to make sure this isn't it, what bpf filter if any are you using with
tcpdump and bro?

If it's not the filter, the only thing I can think of is that the load balancer
is opening a persistent (http/1.1 keep-alive) connection to the backend servers.

I don't know how common that sort of thing is, but it would be easy to check
for, you would see the http/1.1 connection: header in the GET request..

you could also see if tcpdump sees a 3-way handshake if you restart one of the

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list