[Bro] Quick question on conn tracking

James Lay jlay at slave-tothe-box.net
Wed Sep 28 12:51:17 PDT 2016

Hey all,

So I'm getting bro and elasticsearch going, with one of the goals of 
finding flows with no service field.  That being said I am seeing that 
long session, at least I THINK that's what I'm seeing, appear to be 
counted twice.  From conn.log:

2016-09-28T12:29:39-0600   44083    443    
  tcp     ssl     0.214346        460     170     S1      T       F       
0       ShADad  8 884      7       542     (empty) -

2016-09-28T12:44:39-0600   44083    443    
  tcp     -       0.016678        31      0       RSTRH   T       F       
0       fDrAr   2 135      3       132     (empty) -

I captured the data and I'm enclosing the pcap.  Basically, ssl 
connection is established at 12:29:39 and is open until Facebook gets 
annoyed and FIN-ACK's the session at 12:44:39 (now we know they time out 
at exactly 15 minutes).  However why does that show as entries as above? 
  Thanks for any insight.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 3408 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/b74ae04c/attachment.obj 

More information about the Bro mailing list