[Bro] A strange connection
mlaterma at ucalgary.ca
Mon Jan 26 09:08:01 PST 2015
I believe that orig_ip_bytes (and resp_ip_bytes) would recount bytes; the description of the fields states that they use the IP level total_length field to take their measurements.
From: Po-Ching Lin <pachinko.tw at gmail.com>
Sent: January 26, 2015 8:22 AM
To: Michel Laterman; Balasubramaniam Natarajan
Subject: Re: [Bro] A strange connection
If there are duplicated packets due to packet retransmission, will orig_ip_bytes and resp_ip_bytes
be still correct (I mean the bytes may be counted more than once)? If not, what are the reliable fields to
derive the transmitted bytes (not counting duplicated ones)? Thanks.
On 2015/1/25 10:58PM, Michel Laterman wrote:
> I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).
> Michel On Jan 25, 2015 7:40 AM, Balasubramaniam Natarajan <bala150985 at gmail.com> wrote:
>> On Sun, Jan 25, 2015 at 6:12 PM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>>> 1419498119.991707 CLQP0QdahFaFha0U2 140.x.x.x 58967 66.171.248.x 80 tcp http 253.220343 114502461 592490922 SF T 114502154
>>> ShADadfF 5 519 6 578 (empty)
>> Is this by any chance a SF scan ? If this were a normal connection won't we be seeing an Ack Flag, Push Flag in addition to the SF noted above ?
>> Balasubramaniam Natarajan
More information about the Bro