[Bro] Strange Issue with Live Capture
lists at g-clef.net
Mon Jan 26 09:21:19 PST 2015
If I were to bet, I'd guess it has something to do with how the Endace
card is load-balancing packets across your bro workers. If the
retransmission packets are ending up on different workers than the
original session, then each worker will think it's got a new session,
and log it accordingly.
How do you have the Endace card configured? (for the 9.2X2 I have,
n_tuple_select is the pertinent config option.)
On 01/26/2015 11:59 AM, Andrew Benson wrote:
> We're currently using Endace DAG capture cards to feed directly to bro,
> snort, and a rolling packet capture.
> The network we're currently looking at has a high number of retransmissions
> (at one point we counted 45% of traffic being retransmissions).
> Bro is currently logging each packet as a separate connection in conn.log,
> and is failing to run the protocol analyzers correctly (i.e. it'll detect
> it as FTP, but will only log the action, not the login, response).
> What's weird is that if I run bro against the rolling pcap, it works
> correctly. This problem only occurs when bro is listening to the device
> This problem is still occurring with 2.3.1, so I'm at a loss. I enabled the
> capture-loss module, and it's reporting 0%. The capture card doesn't seem
> to be dropping anything either.
> Seen anything similar or have any suggestions for troubleshooting/fixing?
> Knowing is Half the Battle.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro