[Bro] TCP retransmissions
sven at dreyer-net.de
Thu Sep 3 15:02:15 PDT 2015
I stumbled upon a few entries in conn.log that tells me there is an
incoming connection from an IMAP mailserver (public IP) to my notebook
computer (private IP, behind NAT).
In fact, I only have outgoing connections from that notebook computer to
the IMAP server. I can find these in conn.log as well.
Of course I do not have any port forwarding to that notebook computer,
so I took a tshark trace on the router and waited for another occurance.
According to tshark on the router, there was no incoming connection from
the IMAP server.
But tshark on the router also revealed some TCP retransmissions from the
IMAP server to my notebook. Every time tshark sees one of there TCP
retransmissions, I get an incoming connections in conn.log. I think the
retransmissions are due to a weak Wifi signal between router and notebook.
Is it possible that TCP retransmissions are classified as new
connections by bro? Or does anybody have a hint where else to search for
More information about the Bro