[Bro] High orig_bytes value

Seth Hall seth at icir.org
Wed Sep 7 12:43:04 PDT 2016

> On Aug 29, 2016, at 1:01 PM, Danilo Nicolò <dani.nicolo at gmail.com> wrote:
> I'm testing Bro 2.5 beta with netmap, and I noticed this row: 
> {"ts":1472467151.681244,"uid":"CgoIaB3GxSCIEgWea7","id.orig_h":"","id.orig_p":11328,"id.resp_h":"","id.resp_p":9997,"proto":"tcp","duration":0.362595,"orig_bytes":4294967296,"resp_bytes":4294967296,"conn_state":"SF","local_resp":true,"missed_bytes":1168863602,"history":"ShAFFff","orig_pkts":7,"orig_ip_bytes":292,"resp_pkts":4,"resp_ip_bytes":184,"tunnel_parents":[],"local_origi":"T4","local_respo":"T4"}

Unfortunately you haven't given enough information to debug this problem.  I haven't heard of a problem like this with netmap.

Although, I can say that it would possible to cause a Bro log to look like that if two systems on the network were out to mess with you.  Those large numbers are calculated by doing tcp sequence ID tracking.  If you look at the orig_ip_bytes and resp_ip_bytes fields, you can see those are much smaller because they are actually calculated from the byte size of packets seen.

Are you seeing this regularly, or was this a one-off?  Are you running packet-bricks or lb on top of netmap or do you have Bro connecting to a netmap interface directly?  Are you using the netmap libpcap wrappers or are you using the netmap plugin?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list