[Bro] A strange connection
pachinko.tw at gmail.com
Mon Jan 26 07:22:28 PST 2015
If there are duplicated packets due to packet retransmission, will orig_ip_bytes and resp_ip_bytes
be still correct (I mean the bytes may be counted more than once)? If not, what are the reliable fields to
derive the transmitted bytes (not counting duplicated ones)? Thanks.
On 2015/1/25 10:58PM, Michel Laterman wrote:
> I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).
> Michel On Jan 25, 2015 7:40 AM, Balasubramaniam Natarajan <bala150985 at gmail.com> wrote:
>> On Sun, Jan 25, 2015 at 6:12 PM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>>> 1419498119.991707 CLQP0QdahFaFha0U2 140.x.x.x 58967 66.171.248.x 80 tcp http 253.220343 114502461 592490922 SF T 114502154
>>> ShADadfF 5 519 6 578 (empty)
>> Is this by any chance a SF scan ? If this were a normal connection won't we be seeing an Ack Flag, Push Flag in addition to the SF noted above ?
>> Balasubramaniam Natarajan
More information about the Bro