<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=big5">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=4>My simulate environment below :</FONT></DIV>
<DIV><FONT size=4>Bro 1.2, load local.lite.bro, run in linux fedora 5,
Bro`s ip is 192.168.0.1, and replay tcpdump file`s machine is
192.168.0.3.</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>I use tcpreplay to replay Darpa 2000 LLDOS 1.0 DMZ dumpfile to
Bro`s machine in real close network.</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>My question is:</FONT></DIV>
<DIV><FONT size=4><STRONG>In info.localhost.06-12-27_13.16.39 file , I find a
lots of packets be droped, why? is it right? if not, and how to improve
it?</STRONG></FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>Thanks your help!!</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT
size=4> Gita
in NTUST</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>tcpreplay command is below:</FONT></DIV>
<DIV><FONT size=4>tcpreplay LLDOS_1.0_dump_file -i 192.168.0.3</FONT></DIV>
<DIV><FONT size=4> </FONT></DIV>
<DIV><FONT size=4>info.localhost.06-12-27_13.16.39 file content
below</FONT></DIV>
<DIV><FONT
size=4>----------------------------------------------------------------</FONT></DIV>
<DIV><FONT size=2>/usr/local/bro/policy/scan.bro, line 92: warning: no such
host: j5004.inktomisearch.com<BR>/usr/local/bro/policy/scan.bro, line 92:
warning: no such host:
j5005.inktomisearch.com<BR>/usr/local/bro/policy/scan.bro, line 93: warning: no
such host: j5006.inktomisearch.com<BR>/usr/local/bro/policy/scan.bro, line 93:
warning: no such host: j100.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line
93: warning: no such host: j101.inktomi.com<BR>/usr/local/bro/policy/scan.bro,
line 94: warning: no such host:
j3002.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 94: warning: no such
host: si3000.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 94: warning: no
such host: si3001.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 95:
warning: no such host: si3002.inktomi.com<BR>/usr/local/bro/policy/scan.bro,
line 95: warning: no such host:
si3003.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 95: warning: no such
host: si4000.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 96: warning: no
such host: si4001.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 96:
warning: no such host: si4002.inktomi.com<BR>/usr/local/bro/policy/scan.bro,
line 96: warning: no such host:
wm3018.inktomi.com<BR>/usr/local/bro/policy/scan.bro, line 99: warning: no such
host: test-scooter.av.pa-x.dec.com<BR>/usr/local/bro/policy/scan.bro, line 130:
warning: no such host: a.root-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 130: warning: no such host:
b.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 130: warning: no such
host: c.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 131: warning:
no such host: d.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 131:
warning: no such host: e.root-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 131: warning: no such host:
f.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 132: warning: no such
host: g.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 132: warning:
no such host: h.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 132:
warning: no such host: i.root-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 133: warning: no such host:
j.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 133: warning: no such
host: k.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 133: warning:
no such host: l.root-servers.net<BR>/usr/local/bro/policy/scan.bro, line 134:
warning: no such host: m.root-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 138: warning: no such host:
a.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 138: warning: no such
host: b.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 138: warning:
no such host: c.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 139:
warning: no such host: d.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 139: warning: no such host:
e.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 139: warning: no such
host: f.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 140: warning:
no such host: g.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 140:
warning: no such host: h.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 140: warning: no such host:
i.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 141: warning: no such
host: j.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 141: warning:
no such host: k.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro, line 141:
warning: no such host: l.gtld-servers.net<BR>/usr/local/bro/policy/scan.bro,
line 142: warning: no such host:
m.gtld-servers.net<BR>/usr/local/bro/policy/ftp.bro, line 74: warning: no such
host: gvaona1.cns.hp.com<BR>/usr/local/bro/policy/portmapper.bro, line 146:
warning: no such host: sun-rpc.mcast.net<BR>listening on eth0<BR>Bro Version:
1.2<BR>Started with the following command line options: -W -i eth0
local.lite.bro<BR>Capture filter: ((((((((((((((((((((((port ftp) or (port 143))
or (port 111)) or (udp port 69)) or (port 6666)) or (tcp[2:2] > 32770 and
tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139))
or ( icmp)) or (port 512 or port 513 or port 515)) or (port ftp)) or (port
telnet or tcp port 513)) or (port smtp)) or (tcp port 80 or tcp port 8080 or tcp
port 8000 or tcp port 8001)) or (port smtp)) or ((ip[6:2] & 0x3fff != 0) and
tcp)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (dst
port 135 or dst port 137 or dst port 139 or dst port 445)) or (port telnet)) or
(port 161 or port 162)) or (port 53)) or (port 6667)) or (port 111)) or (tcp[13]
& 7 != 0)) or (tcp src port 80 or tcp src port 8080 or tcp src port
8000)<BR>1168837833.287204 received termination signal<BR>334036 packets
received on interface eth0, <FONT color=#ff0000>12343464
dropped</FONT></FONT></DIV>
<DIV><FONT size=4></FONT> </DIV></BODY></HTML>