[Bro] weird.log help
josh.guild at morphick.com
Thu Apr 14 13:18:22 PDT 2016
I'm trying to debug some traffic that is coming off an aggregator right
now. I was pointed to this helpful set of slides from Vlad on how to
troubleshoot and verify a network (
Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps
throughput, I've noticed these entries in the weird.log (top 10 or so).
Now my questions are these - 1) That seems like a lot of errors for a small
sample set but I don't have a reference point for a network of this size.
Does anyone else have an equivalent network that they could sanity check
for me? 2) Is there a good reference for these weird.log entries that I can
look at to try to pin down what is going wrong in the network? I'm
particularly interested in the HTTP_version_mismatch and a few other that
Vlad mentioned in his presentation.
The main reason I'm interested in the details on HTTP_version_mismatch is
because I have two pcaps from two separate ports off the aggregator and,
for some reason, one is showing as HTTP2 (but only in the OSX version of
Wireshark) and Bro can't read pcap properly. The other pcap is read just
Sorry for the wall of text but if anyone can point me in the right
direction, I'd be much obliged. Thanks!
Network Intelligence Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro