<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
On Wed, 2015-08-19 at 21:30 -0400, Seth Hall wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#737373">&gt; On Aug 19, 2015, at 8:21 PM, &#44608;&#55148;&#52384; &lt;<A HREF="mailto:hckim@narusec.com">hckim@narusec.com</A>&gt; wrote:</FONT>
<FONT COLOR="#737373">&gt; </FONT>
<FONT COLOR="#737373">&gt; In side a Conn.log history I have letter 'Q' in it.</FONT>
<FONT COLOR="#737373">&gt; I can not find any info about 'Q' </FONT>
<FONT COLOR="#737373">&gt; am I missing something?</FONT>
<FONT COLOR="#737373">&gt; </FONT>
<FONT COLOR="#737373">&gt; 1439941988.068044        C3FNvf40Sa0n7jtNTf        10.122.100.26        63394        10.122.110.8        22        tcp        -        1.796387        0        0        SH        T        Qah        1        60        4        224        (empty)        (empty)        (empty)</FONT>

&#8216;Q&#8217; indicates a multi flag packet.  It should be either a syn/fin or syn/rst packet.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
<A HREF="http://www.bro.org/">http://www.bro.org/</A>


_______________________________________________
Bro mailing list
<A HREF="mailto:bro@bro-ids.org">bro@bro-ids.org</A>
<A HREF="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</A>
</PRE>
</BLOCKQUOTE>
<BR>
That's interesting..I don't have Q at all....and I would agree that maybe that should be documented somewhere, but I couldn't find it here:<BR>
<BR>
<A HREF="https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info">https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info</A><BR>
<BR>
James
</BODY>
</HTML>