[Bro] TCP Packets not getting logged
Robin Sommer
robin at icir.org
Wed Nov 29 19:10:11 PST 2006
On Wed, Nov 29, 2006 at 19:55 +0530, Bindiya V S wrote:
> connection closing handshakes (FIN and ACK). When I try re-running
> the same PCAP in short intervals (running tcpreplays multiple times
> on the same PCAP), the packets coming on the connection which didnt
> have FIN and ACK earlier are not getting logged.
That's because the internal connection state for these connections
is still in memory and Bro believes that the incoming packets do
actually belong to the same (old) connection. For connections closed
with FINs, the connection state is flushed more quickly, which is
why you're less likely to see this effect for them.
In general, replaying the same traffic multiple times is likely to
confuse Bro in various ways (e.g., also some of the scripts).
Usually it's best to create multiple different instances of the
trace first by, e.g., changing IP addresses.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list