[Bro] TCP handshake

Veronica Estrada estrada.veronica at gmail.com
Thu Jan 6 00:39:20 PST 2011

What happens with Bro when 3 way handshake packets are not synchronized?

In the case of offline analysis, inbound packets and outbound packets may
receive timestamps that are not synchronize (maybe due to problems in
capture machine setup).
We think that it may affect short connections. For example, the pcap file
can contain a syn-ack with a timestamp before the first SYN packet.

Can Bro detect the 3-way handshake in this situation? Or the ACK-SYN get

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110106/8323f4e6/attachment.html 

More information about the Bro mailing list