[Bro] About Bro drop packet....

張澤生 M9315927 at mail.ntust.edu.tw
Wed Jan 17 00:26:24 PST 2007 

My simulate environment below :
Bro 1.2, load local.lite.bro, run  in linux fedora 5, Bro`s ip is 192.168.0.1, and replay tcpdump file`s machine is 192.168.0.3.

I use tcpreplay to replay Darpa 2000 LLDOS 1.0 DMZ dumpfile to Bro`s machine in real close network.

My question is:
In info.localhost.06-12-27_13.16.39 file , I find a lots of packets be droped, why? is it right? if not, and how to improve it?

Thanks your help!!

                                                                                                                                    Gita in NTUST

tcpreplay command is below:
tcpreplay LLDOS_1.0_dump_file -i 192.168.0.3
  
info.localhost.06-12-27_13.16.39 file content below
----------------------------------------------------------------
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
/usr/local/bro/policy/scan.bro, line 99: warning: no such host: test-scooter.av.pa-x.dec.com
/usr/local/bro/policy/scan.bro, line 130: warning: no such host: a.root-servers.net
/usr/local/bro/policy/scan.bro, line 130: warning: no such host: b.root-servers.net
/usr/local/bro/policy/scan.bro, line 130: warning: no such host: c.root-servers.net
/usr/local/bro/policy/scan.bro, line 131: warning: no such host: d.root-servers.net
/usr/local/bro/policy/scan.bro, line 131: warning: no such host: e.root-servers.net
/usr/local/bro/policy/scan.bro, line 131: warning: no such host: f.root-servers.net
/usr/local/bro/policy/scan.bro, line 132: warning: no such host: g.root-servers.net
/usr/local/bro/policy/scan.bro, line 132: warning: no such host: h.root-servers.net
/usr/local/bro/policy/scan.bro, line 132: warning: no such host: i.root-servers.net
/usr/local/bro/policy/scan.bro, line 133: warning: no such host: j.root-servers.net
/usr/local/bro/policy/scan.bro, line 133: warning: no such host: k.root-servers.net
/usr/local/bro/policy/scan.bro, line 133: warning: no such host: l.root-servers.net
/usr/local/bro/policy/scan.bro, line 134: warning: no such host: m.root-servers.net
/usr/local/bro/policy/scan.bro, line 138: warning: no such host: a.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 138: warning: no such host: b.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 138: warning: no such host: c.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 139: warning: no such host: d.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 139: warning: no such host: e.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 139: warning: no such host: f.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 140: warning: no such host: g.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 140: warning: no such host: h.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 140: warning: no such host: i.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 141: warning: no such host: j.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 141: warning: no such host: k.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 141: warning: no such host: l.gtld-servers.net
/usr/local/bro/policy/scan.bro, line 142: warning: no such host: m.gtld-servers.net
/usr/local/bro/policy/ftp.bro, line 74: warning: no such host: gvaona1.cns.hp.com
/usr/local/bro/policy/portmapper.bro, line 146: warning: no such host: sun-rpc.mcast.net
listening on eth0
Bro Version: 1.2
Started with the following command line options:  -W -i eth0 local.lite.bro
Capture filter: ((((((((((((((((((((((port ftp) or (port 143)) or (port 111)) or (udp port 69)) or (port 6666)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or ( icmp)) or (port 512 or port 513 or port 515)) or (port ftp)) or (port telnet or tcp port 513)) or (port smtp)) or (tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001)) or (port smtp)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (dst port 135 or dst port 137 or dst port 139 or dst port 445)) or (port telnet)) or (port 161 or port 162)) or (port 53)) or (port 6667)) or (port 111)) or (tcp[13] & 7 != 0)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)
1168837833.287204 received termination signal
334036 packets received on interface eth0, 12343464 dropped
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070117/a4f96952/attachment.html

More information about the Bro mailing list