[Bro] Help with searching logs

Seth Hall seth at icir.org
Wed Apr 3 18:23:03 PDT 2013

On Apr 3, 2013, at 4:47 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:

> Looks like resp_bytes is not being properly shown sometimes. Hmm, missed_bytes seems to be large here, too. Sigh - I still don't know what's going on. If missed_bytes is nonzero, the orig and resp bytes can't be trusted. More work and research.
> Here's the unfiltered output:
> scastle at nsm:~/scripts$ zcat /nsm/bro/logs/2013-04-03/conn.19:00:00-20:00:00.log.gz | bro-cut -d | grep\*
> 2013-04-03T19:21:51+0000        ramah8M2Oc1  64888     80      tcp     -       24.008354       0       1214734460      RSTR    T       0       hArR    2       92      3       160     (empty)

This is what I get for not reading the whole email.  Bro has/had an issue with middle boxes sending RST packets to kill TCP connections (great firewall of China being a primary offender) where it would use the sequence number from the RST packet instead of the sequence number from the initial syn or syn-ack.  It resulted in these connections like you have here with very few packets and huge data sizes.  It's fixed in master and if you want more context to the problem you can refer to the ticket where we tracked the issue and fix:


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list