[Bro] TCP Connection duration = ?
Cliff
zhangwei at comexgenesys.com
Wed Sep 15 18:45:05 PDT 2004
ya,I have the same problem with Mike. There are many '?' duration in logs as following:
1095308764.656004 1.809737 192.168.10.119 210.19.14.6 pop-3 3403 110 tcp 58 73 SF X
1095308766.082135 1.730581 192.168.10.121 128.230.129.221 nntp 4596 119 tcp 40 168 SF X
1095308787.021557 0.175026 192.168.10.124 61.168.68.245 other 2881 1039 tcp ? ? REJ X
1095308786.694412 0.755664 192.168.10.124 61.149.37.104 other 2880 35220 tcp ? ? REJ X
1095308787.675227 0.072789 192.168.10.124 220.164.96.132 other 2883 14977 tcp ? ? REJ X
1095308787.721514 0.172381 192.168.10.124 61.168.68.245 other 2881 1039 tcp ? ? REJ X
I want to know the mechanism how to generate the '?'.
Who can help me?
Thanks in advance. :-)
Cliff
----- Original Message -----
From: "Mike Muratet" <mike.muratet at torchtechnologies.com>
To: <bro at bro-ids.org>
Sent: Thursday, September 16, 2004 6:11 AM
Subject: [Bro] TCP Connection duration = ?
> Greetings
>
> Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I
> see many instances where the connection duration is '?'. I've looked at the
> manual, and by the definition of 'duration' I am led to believe that a ?
> indicates a record with an end event that never received a begin event. I'm
> still trying to find the calculation in the source, but does this make
> sense?
>
> Thanks
>
> Mike
>
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list