[Bro] Split-ed connection for some UDP traffic?

Seth Hall seth at corelight.com
Thu Aug 10 04:42:54 PDT 2017

Hi Fatema, I don't see a reply to this message in the mailing list so
I'll give it a shot...

fatema bannatwala wrote:
> 1500927487.398576 CLr9ebnHeAYNOGzei  41600
>  389  udp  -  93.677712   39999   0   S0   F   T   0  
> D   597 56715 0 0 (empty)
> 1500927487.404591 CapBfs1lhI2XFt4gJb  389
>  41600   udp   -   93.672242   1773687   0   S0   T   F  
> 0   D   597   1790403 0 0 (empty)
> Here, in the above case, shouldn't Bro be logging only a single
> connection with src: and dest:, with
> History 'Dd' ? or I might be missing
> something important here :)

Your traffic isn't being load balanced correctly.  You have one worker
receiving one flow of the connection and another worker receiving the
other flow of the connection.  You can tell because of the two different
"connections" that have the 4-tuple of ports and ip addresses and you
picked up on the "D" instead of "Dd".  That just means that traffic was
only seen from the originator which we would expect with mismatched load

Are you seeing this sort of behavior with other connections or just this
one single odd-ball connection?


Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com


More information about the Bro mailing list