[Bro] A strange connection

Michel Laterman mlaterma at ucalgary.ca
Mon Jan 26 09:08:01 PST 2015

I believe that orig_ip_bytes (and resp_ip_bytes) would recount bytes; the description of the fields states that they use the IP level total_length field to take their measurements.


From: Po-Ching Lin <pachinko.tw at gmail.com>
Sent: January 26, 2015 8:22 AM
To: Michel Laterman; Balasubramaniam Natarajan
Cc: bro
Subject: Re: [Bro] A strange connection

Dear Michel,

      If there are duplicated packets due to packet retransmission, will orig_ip_bytes and resp_ip_bytes
be still correct (I mean the bytes may be counted more than once)? If not, what are the reliable fields to
derive the transmitted bytes (not counting duplicated ones)? Thanks.


On 2015/1/25 10:58PM, Michel Laterman wrote:
> Hello,
> I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).
> Michel On Jan 25, 2015 7:40 AM, Balasubramaniam Natarajan <bala150985 at gmail.com> wrote:
>> On Sun, Jan 25, 2015 at 6:12 PM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>>> 1419498119.991707       CLQP0QdahFaFha0U2       140.x.x.x  58967 66.171.248.x  80      tcp   http     253.220343      114502461 592490922       SF      T       114502154
>>> ShADadfF 5       519     6       578     (empty)
>>> Po-Ching
>> Is this by any chance a SF scan ?  If this were a normal connection won't we be seeing an Ack Flag, Push Flag in addition to the SF noted above ?
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> http://blog.etutorshop.com

More information about the Bro mailing list