[Bro] Strange Issue with Live Capture

Aaron Gee-Clough lists at g-clef.net
Mon Jan 26 09:21:19 PST 2015


If I were to bet, I'd guess it has something to do with how the Endace 
card is load-balancing packets across your bro workers. If the 
retransmission packets are ending up on different workers than the 
original session, then each worker will think it's got a new session, 
and log it accordingly.

How do you have the Endace card configured? (for the 9.2X2 I have, 
n_tuple_select is the pertinent config option.)

aaron

On 01/26/2015 11:59 AM, Andrew Benson wrote:
> We're currently using Endace DAG capture cards to feed directly to bro,
> snort, and a rolling packet capture.
>
> The network we're currently looking at has a high number of retransmissions
> (at one point we counted 45% of traffic being retransmissions).
>
> Bro is currently logging each packet as a separate connection in conn.log,
> and is failing to run the protocol analyzers correctly (i.e. it'll detect
> it as FTP, but will only log the action, not the login, response).
>
> What's weird is that if I run bro against the rolling pcap, it works
> correctly. This problem only occurs when bro is listening to the device
> directly.
>
> This problem is still occurring with 2.3.1, so I'm at a loss. I enabled the
> capture-loss module, and it's reporting 0%. The capture card doesn't seem
> to be dropping anything either.
>
> Seen anything similar or have any suggestions for troubleshooting/fixing?
>
> --
> AndrewB
> Knowing is Half the Battle.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>


More information about the Bro mailing list