[Bro] TCP handshake

Veronica Estrada estrada.veronica at gmail.com
Thu Jan 6 00:39:20 PST 2011


What happens with Bro when 3 way handshake packets are not synchronized?

In the case of offline analysis, inbound packets and outbound packets may
receive timestamps that are not synchronize (maybe due to problems in
capture machine setup).
We think that it may affect short connections. For example, the pcap file
can contain a syn-ack with a timestamp before the first SYN packet.

Can Bro detect the 3-way handshake in this situation? Or the ACK-SYN get
discarded?

Regards,
VE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110106/8323f4e6/attachment.html 


More information about the Bro mailing list