[Bro] Connection summaries question
Vern Paxson
vern at icir.org
Wed Nov 10 15:23:08 PST 2004
[catching up on old mail]
> - When Bro encounters a flow mid-stream and that flow gets shut down
> normally in the end, I see "SF" in connection summaries.
Yes.
> - Also, it appears that when one port is well-known and the other is
> ephemeral, Bro assumes that the connection was established from the
> ephemeral to the well-known one.
Yep.
> This is based on the following tiny trace:
> http://www.cl.cam.ac.uk/~cpk25/outback/http-single-midstream.trace
>
> I'm asking because I'm selecting flows from a trace based on this output
> and the semantics matter. Intuitively I would have assumed that SF is
> only printed for flows seen in their entirety.
You're right that that's the better interpretation. The core problem is
that there are a whole lot of different possible connection states - in
particular, more than TCP's own state machine allows for, since it assumes
correct establishment - and Bro's state-tracking evolved from an initial
approach that assumed correct TCP operation.
Once I integrate Mark's addition of state-tracking, this problem will
basically go away.
Vern
More information about the Bro
mailing list