[Bro] conn.log - What does cc=1 mean?

David Vessey jdvessey at gmail.com
Tue Jul 19 11:42:39 PDT 2011

Hello list,

This is my first post - just another network monkey, been playing around
with bro for the last year or so, writing some custom policy files to try
and do some large scale analysis.

Can anyone tell me what the "cc=1" means at the end of a line for conn.log

I'm getting output lines like this:

1307664147.729018 0.103712 https? 1839 443 tcp 1865279311 ?
RSTOS0 X cc=1

The 'sent bytes' is "1865279311", which seems awfully high, and received are
0. A quick survey looks like most entries that have a large byte count with
sent or received and 0 in the other direction have the state set to "RSTOS0"
and the flags set to "X cc=1".

I believe one of the main factors causing this is damaged PCAPs (limited
snaplength, possibly dropped packets). However if I can exclude the damaged
records, I can still carry on with some analysis.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110719/a42bbd6d/attachment.html 

More information about the Bro mailing list