[Bro] conn.log - What does cc=1 mean?
sri at basam.org
Tue Jul 19 13:34:06 PDT 2011
On Tue, Jul 19, 2011 at 2:42 PM, David Vessey <jdvessey at gmail.com> wrote:
> Hello list,
> This is my first post - just another network monkey, been playing around
> with bro for the last year or so, writing some custom policy files to try
> and do some large scale analysis.
> Can anyone tell me what the "cc=1" means at the end of a line for conn.log
> I'm getting output lines like this:
> 1307664147.729018 0.103712 126.96.36.199 188.8.131.52 https? 1839 443 tcp 1865279311 ?
> RSTOS0 X cc=1
> The 'sent bytes' is "1865279311", which seems awfully high, and received
> are 0. A quick survey looks like most entries that have a large byte count
> with sent or received and 0 in the other direction have the state set to
> "RSTOS0" and the flags set to "X cc=1".
> I believe one of the main factors causing this is damaged PCAPs (limited
> snaplength, possibly dropped packets). However if I can exclude the damaged
> records, I can still carry on with some analysis.
I have seen these lines mostly on failed connections (could be either due to
missing packets in the capture file or genuine setup failures). The cc=1 is
from the connection compressor being enabled for this run. There is some
good documentation on what the connection compressor does and what enabling
it means in src/ConnCompressor.cc in the source tree.
I turn off connection compressor for *some* of my analysis since you lose
some information when there are syn retries. Have you looked at some of the
connections which have the cc=1 tag to see if they are just setup failures
or your trace is missing packets or there is something else weird with those
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro