[Bro] Issue with small pcap files and -r
sconzo at visiblerisk.com
Mon Jan 7 18:06:55 PST 2013
There are 3-way handshakes and no conn log is produced. The pcaps used
for the tests worked correctly when I tried them.
However, the pcaps I'm testing on have a GRE tunnel in them. After
digging around a bit more it seems like this might be the issue. I
didn't look close enough in wireshark, and the rest of the tools do
the decapsulation before showing results
Thanks for the quick response.
On Mon, Jan 7, 2013 at 6:25 PM, Robin Sommer <robin at icir.org> wrote:
> On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote:
>> When running bro in stand alone mode is there a size cutoff for it to
>> do anything with a pcap file?
> No, small traces should produce the expected output. We have indeed a
> larger number of unit tests that rely on that; see, e.g.,
> testing/btest/scripts/base/protocols/smtp/basic.test for one using a
> rather small SMTP trace.
> My best guess is that's indeed something with your trace. Try some of
> the small traces in testing/btest/Traces and see what they give you.
>> I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
> One difference between these and Bro is that Bro tracks the TCP state;
> if there's trouble with that, Bro might abort processing, even though
> the other tools continue with their packet-based analysis. Do you get
> a conn.log? That should show up in any case.
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
cat ~/.bash_history > documentation.txt
More information about the Bro