[Bro] TCP handshake
estrada.veronica at gmail.com
Sat Jan 8 03:08:30 PST 2011
I done some metrics, and the problem is confined to just a few cases with
fast handshake process. There also some other rare cases maybe more related
to anomalies on the net (crud).
On Fri, Jan 7, 2011 at 1:35 AM, Robin Sommer <robin at icir.org> wrote:
> On Thu, Jan 06, 2011 at 17:39 +0900, you wrote:
> > We think that it may affect short connections. For example, the pcap file
> > can contain a syn-ack with a timestamp before the first SYN packet.
> Yes, Bro will have trouble with that. It assumes that it sees
> packets in the order they were on the wire and if that's not the
> case, results are not really predictable. If the problem were just
> packets not sorted in terms of their timestamps, you could use Bro's
> "packet sorter" feature to get them into the right order, but it
> sounds like here them timestamps themselves are already off. It's
> worth trying hard to avoid that at the point where packets are
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro