[Bro] TCP retransmissions

Sven Dreyer sven at dreyer-net.de
Thu Sep 3 15:02:15 PDT 2015

Dear list,

I stumbled upon a few entries in conn.log that tells me there is an 
incoming connection from an IMAP mailserver (public IP) to my notebook 
computer (private IP, behind NAT).

In fact, I only have outgoing connections from that notebook computer to 
the IMAP server. I can find these in conn.log as well.

Of course I do not have any port forwarding to that notebook computer, 
so I took a tshark trace on the router and waited for another occurance.

According to tshark on the router, there was no incoming connection from 
the IMAP server.

But tshark on the router also revealed some TCP retransmissions from the 
IMAP server to my notebook. Every time tshark sees one of there TCP 
retransmissions, I get an incoming connections in conn.log. I think the 
retransmissions are due to a weak Wifi signal between router and notebook.

Is it possible that TCP retransmissions are classified as new 
connections by bro? Or does anybody have a hint where else to search for 
the reason?


More information about the Bro mailing list