[Bro] pcap replay issue

Dk Jack dnj0496 at gmail.com
Sat Nov 14 14:15:11 PST 2015


Hi,
I am try to replay small ssl pcap and have bro analyze the packets. When I
do tcpreplay on the pcap, the first time I see five ssl connections in bro
ssl log. When I replay same pcap within a minute or so of the first replay,
then I only see 3 connections. If I give a gap of say 5mins between the
replays, then I see 5 connections in the 2nd replay too. If I use
tcpreplay-edit with -s option i.e. where the source is randomized, then I
see 5 connections both times even if I don't have a large delay between the
two replays. Also, I see some messages in the weird.log.

I've attached the pcap, ssl_with_delay.log (shows all 10 connections from
two replays), ssl_no_delay.log(shows only 8 connections from 2 replays) and
weird.log.

Could someone explain what's going on and if there is a work around for
this issue. Thanks.

Dnj.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151114/5a61a04a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iis.pcap
Type: application/octet-stream
Size: 27548 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151114/5a61a04a/attachment-0004.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_no_delay.log
Type: application/octet-stream
Size: 2124 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151114/5a61a04a/attachment-0005.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_with_delay.log
Type: application/octet-stream
Size: 2508 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151114/5a61a04a/attachment-0006.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: weird.log
Type: application/octet-stream
Size: 656 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151114/5a61a04a/attachment-0007.obj 


More information about the Bro mailing list