[Bro] Load Balancers
bill.jones at syntervision.com
Sat Feb 6 11:05:32 PST 2010
Sorry, I meant to add that no bpf filters are being added to tcpdump
or bro at this time. Also, I don't have the ability to restart these
servers at this time.
On Sat, Feb 6, 2010 at 2:04 PM, Bill Jones <bill.jones at syntervision.com> wrote:
> Thanks for the response. I do actually see a "Connection:
> Keep-Alive\r\n" in the GET packet. From this, can I assume that a
> persistent connection is being held, thus the confusion by bro?
> If so, do you have any ideas or suggestions on how I can get the HTTP
> analyzer to still process these as if the connection had been
> established normally?
> On Sat, Feb 6, 2010 at 1:51 PM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
>> On Sat, Feb 06, 2010 at 01:12:36PM -0500, Bill Jones wrote:
>>> That's what I'm finding strange. After running a tcpdump capture on
>>> the interface and analyzing it with Wireshark, I do not see any 3-way
>>> handshakes for this particular web application. For any HTTP GET that
>>> I see in Wireshark that pertains to this application, when I "Follow
>>> TCP Stream", the first entry in Wireshark is always the GET message
>>> itself. For all other applications on the network, doing the above
>>> results in the first entry being the SYN.
>> Just to make sure this isn't it, what bpf filter if any are you using with
>> tcpdump and bro?
>> If it's not the filter, the only thing I can think of is that the load balancer
>> is opening a persistent (http/1.1 keep-alive) connection to the backend servers.
>> I don't know how common that sort of thing is, but it would be easy to check
>> for, you would see the http/1.1 connection: header in the GET request..
>> you could also see if tcpdump sees a 3-way handshake if you restart one of the
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
More information about the Bro