[Bro] Duplication of packets and UID's
seth at icir.org
Thu May 1 11:03:59 PDT 2014
On May 1, 2014, at 1:05 PM, nate <nate at nullbyte.net> wrote:
> 1. Why are lines 837 & 838 duplicates of each other, with different time stamps?
I believe this might be a bug that we have fixed in the upcoming 2.3 release. We did some DNS script refactoring. It's a surprisingly hard protocol to get just right.
> 2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 1133), with the same timestamps?
I suspect that's the same bug expressing itself again.
> 3. Why do both sections of packets, 10 seconds apart, have the same UID?
Because it's UDP. :) Bro creates mock "connections" for UDP and the client in this case was using the same ephemeral port for multiple queries so they showed up as part of the same "connection". (all quotes very deliberate).
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/44a1a2bd/attachment.bin
More information about the Bro