[Bro] conn.log - What does cc=1 mean?
jdvessey at gmail.com
Tue Jul 19 11:42:39 PDT 2011
This is my first post - just another network monkey, been playing around
with bro for the last year or so, writing some custom policy files to try
and do some large scale analysis.
Can anyone tell me what the "cc=1" means at the end of a line for conn.log
I'm getting output lines like this:
1307664147.729018 0.103712 22.214.171.124 126.96.36.199 https? 1839 443 tcp 1865279311 ?
RSTOS0 X cc=1
The 'sent bytes' is "1865279311", which seems awfully high, and received are
0. A quick survey looks like most entries that have a large byte count with
sent or received and 0 in the other direction have the state set to "RSTOS0"
and the flags set to "X cc=1".
I believe one of the main factors causing this is damaged PCAPs (limited
snaplength, possibly dropped packets). However if I can exclude the damaged
records, I can still carry on with some analysis.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro