[Bro] weird.log help

Daniel Guerra daniel.guerra69 at gmail.com
Fri Apr 15 15:43:33 PDT 2016


Use reorderpcap

https://www.wireshark.org/docs/man-pages/reordercap.html

Or it might help to install the tcprs plugin.

You could could some timeout tweaking too.

> On 15 Apr 2016, at 14:35, Josh Guild <josh.guild at morphick.com> wrote:
> 
> Thanks, Dan, I'll look into this. 
> When I analyze the pcap in Wireshark I see a lot of "port reuse" errors as well which I think it indicative of this as well.
> 
> 
> On Thu, Apr 14, 2016 at 6:07 PM, Daniel Guerra <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>> wrote:
> I don’t know your situation but this looks like reordering problem. All tools expect a time order.
> 
> Timeout increase might help.
> 
>> On 14 Apr 2016, at 22:18, Josh Guild <josh.guild at morphick.com <mailto:josh.guild at morphick.com>> wrote:
>> 
>> Howdy all,
>> 
>> I'm trying to debug some traffic that is coming off an aggregator right now. I was pointed to this helpful set of slides from Vlad on how to troubleshoot and verify a network (https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting <https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting>).
>> 
>> Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps throughput, I've noticed these entries in the weird.log (top 10 or so).
>> 
>> 5454 line_terminated_with_single_CR
>> 4012 above_hole_data_without_any_acks
>> 2827 TCP_ack_underflow_or_misorder
>> 2601 SYN_seq_jump
>> 2395 TCP_seq_underflow_or_misorder
>> 2192 FIN_advanced_last_seq
>> 1330 HTTP_version_mismatch
>> 570 bad_HTTP_request
>> 333 unescaped_special_URI_char
>> 205 window_recision
>> 151 dns_unmatched_msg
>> 
>> Now my questions are these - 1) That seems like a lot of errors for a small sample set but I don't have a reference point for a network of this size. Does anyone else have an equivalent network that they could sanity check for me? 2) Is there a good reference for these weird.log entries that I can look at to try to pin down what is going wrong in the network? I'm particularly interested in the HTTP_version_mismatch and a few other that Vlad mentioned in his presentation. 
>> 
>> The main reason I'm interested in the details on HTTP_version_mismatch is because I have two pcaps from two separate ports off the aggregator and, for some reason, one is showing as HTTP2 (but only in the OSX version of Wireshark) and Bro can't read pcap properly. The other pcap is read just fine. 
>> 
>> Sorry for the wall of text but if anyone can point me in the right direction, I'd be much obliged. Thanks!
>>  
>> 
>> -- 
>> Josh Guild
>> Network Intelligence Analyst
>>  <https://twitter.com/stay_spooky>  <https://keybase.io/joshuaguild>
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> 
> 
> 
> -- 
> Josh Guild
> Network Intelligence Analyst
>  <https://twitter.com/stay_spooky>  <https://keybase.io/joshuaguild>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160416/34ef87e5/attachment.html 


More information about the Bro mailing list