[Bro] Load Balancers

Bill Jones bill.jones at syntervision.com
Sat Feb 6 11:05:32 PST 2010


Sorry, I meant to add that no bpf filters are being added to tcpdump
or bro at this time.  Also, I don't have the ability to restart these
servers at this time.

On Sat, Feb 6, 2010 at 2:04 PM, Bill Jones <bill.jones at syntervision.com> wrote:
> Justin,
> Thanks for the response.  I do actually see a "Connection:
> Keep-Alive\r\n" in the GET packet.  From this, can I assume that a
> persistent connection is being held, thus the confusion by bro?
> If so, do you have any ideas or suggestions on how I can get the HTTP
> analyzer to still process these as if the connection had been
> established normally?
> Regards,
> Bill
> On Sat, Feb 6, 2010 at 1:51 PM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
>> On Sat, Feb 06, 2010 at 01:12:36PM -0500, Bill Jones wrote:
>>> That's what I'm finding strange.  After running a tcpdump capture on
>>> the interface and analyzing it with Wireshark, I do not see any 3-way
>>> handshakes for this particular web application.  For any HTTP GET that
>>> I see in Wireshark that pertains to this application, when I "Follow
>>> TCP Stream", the first entry in Wireshark is always the GET message
>>> itself.  For all other applications on the network, doing the above
>>> results in the first entry being the SYN.
>> Just to make sure this isn't it, what bpf filter if any are you using with
>> tcpdump and bro?
>> If it's not the filter, the only thing I can think of is that the load balancer
>> is opening a persistent (http/1.1 keep-alive) connection to the backend servers.
>> I don't know how common that sort of thing is, but it would be easy to check
>> for, you would see the http/1.1 connection: header in the GET request..
>> you could also see if tcpdump sees a 3-way handshake if you restart one of the
>> webservers.
>> --
>> -- Justin Azoff
>> -- Network Security & Performance Analyst

More information about the Bro mailing list