[Bro] weird.log help

Josh Guild josh.guild at morphick.com
Thu Apr 14 13:18:22 PDT 2016

Howdy all,

I'm trying to debug some traffic that is coming off an aggregator right
now. I was pointed to this helpful set of slides from Vlad on how to
troubleshoot and verify a network (

Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps
throughput, I've noticed these entries in the weird.log (top 10 or so).

5454 line_terminated_with_single_CR
4012 above_hole_data_without_any_acks
2827 TCP_ack_underflow_or_misorder
2601 SYN_seq_jump
2395 TCP_seq_underflow_or_misorder
2192 FIN_advanced_last_seq
1330 HTTP_version_mismatch
570 bad_HTTP_request
333 unescaped_special_URI_char
205 window_recision
151 dns_unmatched_msg

Now my questions are these - 1) That seems like a lot of errors for a small
sample set but I don't have a reference point for a network of this size.
Does anyone else have an equivalent network that they could sanity check
for me? 2) Is there a good reference for these weird.log entries that I can
look at to try to pin down what is going wrong in the network? I'm
particularly interested in the HTTP_version_mismatch and a few other that
Vlad mentioned in his presentation.

The main reason I'm interested in the details on HTTP_version_mismatch is
because I have two pcaps from two separate ports off the aggregator and,
for some reason, one is showing as HTTP2 (but only in the OSX version of
Wireshark) and Bro can't read pcap properly. The other pcap is read just

Sorry for the wall of text but if anyone can point me in the right
direction, I'd be much obliged. Thanks!

Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160414/0d04e74e/attachment.html 

More information about the Bro mailing list