Bro always crashes
Vern Paxson
vern at ee.lbl.gov
Fri May 7 01:33:42 PDT 1999
> without seeing a SYN-ack from B.80 in between. This then leads to
> Bro holding state for the half-established connection after it sees
> A.1234 -> B.80.
I should add that I diagnosed this because the connection summaries
Bro generated on stdout looked like:
925897359.600000 0.26 http ? 1775 199.108.25.84 130.104.28.234 SHR X
"SHR" indicates a half-stablished connection that was closed by the
responder. (It's the responder in this case because the only packets
Bro saw were the SYN-ack [rather than the SYN] and the FIN.)
This is a highly unusual state for normal traffic, i.e. when Bro sees
both sides of the connections.
Vern
More information about the Bro
mailing list