[Bro] linking a wrong_fragment event to a connection
estrada.veronica at gmail.com
Thu Mar 11 03:22:54 PST 2010
I ask this topic again trying to clarify my questions (and my English). I
want to associate a summary of wrong fragments to the corresponding line in
the connection summary.
I made a script to count the different fragment problems trigger by
How can I know which connection has generated that wrong fragment event? The
wrong fragment event only logs src, dst and network_time. This is not enough
to link the fragment to a connection inside connection summary.
1247652196.907274 src_ip -> dst_ip: fragment_with_DF
By the way, I read about active and passive timeouts on connections
("Flow-based TCP Connection Analysis" by Limmer and Dressler).
I don´t understand how this topic is treated in BRO. I found only one type
of timeout (TCP_inactivity_timeout). Is this timeout the active timeout? Can
I tune a passive timeout? Maybe I am missing others user tunable timeouts
that can affect my results.
Maybe I am getting into the details of bro design, I want to understand what
I am doing, and what I shouldn´t do to get the wrong fragment count inside
the conn.bro file.
The University of Tokyo
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro