[Bro] UDP contents
Mike Dopheide
dopheide at ncsa.uiuc.edu
Mon Jan 29 17:06:59 PST 2007
I've upgraded to Bro 1.2.1 and here are four packets that correspond to
a DNS request and the kerberos request:
18:15:49.693120 IP 141.142.222.33.32909 > 141.142.2.2.domain: 24696+
SRV? _kerberos-master._tcp.NCSA.EDU. (48)
18:15:49.693493 IP 141.142.2.2.domain > 141.142.222.33.32909: 24696
NXDomain* 0/1/0 (105)
18:15:49.693545 IP 141.142.222.33.32909 > 141.142.3.16.kerberos: v5
18:15:49.694244 IP 141.142.3.16.kerberos > 141.142.222.33.32909:
And my bro output:
32909/udp 53/udp F
32909/udp 88/udp F
In this case, 141.142.222.33 is the local client where bro is running.
Interestingly enough, I did a tcpdump from two other clients. One in
the same building gave similar results, one in the building with the
kerberos server gave me the results we should expect:
36209/udp 53/udp T
36209/udp 53/udp F
36209/udp 88/udp T
36209/udp 88/udp F
Now might be a good time to mention that I also see these messages
locally, but I had always assumed they were unrelated and due to other
local traffic:
1170117967.140200 weird: bad_UDP_checksum
1170117967.140751 weird: bad_UDP_checksum
1170117967.141191 weird: bad_UDP_checksum
1170117967.142015 weird: bad_TCP_checksum
1170117967.142807 weird: bad_TCP_checksum
So.. my current theory is there's something screwy with our local
network and I intend to find out what's causing it. I'll let you know
when I do. This UDP traffic 'works' so I think Bro should be detecting
it regardless of whether some networking equipment might be mangling the
packets a bit.
-Mike
Christian Kreibich wrote:
> Hi Mike,
>
> it doesn't look like you're doing anything wrong. However, I've just
> tried dumping some UDP contents with Bro 1.2.1 and it works fine, so we
> need to figure out why it's not working for you.
>
> I have this traffic:
>
> 22:26:10.089582 IP 1.2.3.211.53 > 200.33.146.222.32789: 3628*- 1/4/4 PTR [...]. (245)
> 22:26:10.089582 IP 1.2.3.211.32789 > 200.33.146.222.53: 18275 A? [...]. (44)
> 22:26:10.229573 IP 1.2.3.211.53 > 200.33.146.222.32789: 18275*- 1/3/3 A [...] (187)
> 22:30:39.981424 IP 1.2.3.211.32789 > 200.33.146.222.53: 36142 PTR? [...]. (44)
> 22:30:40.141413 IP 1.2.3.211.53 > 200.33.146.222.32789: 36142* 1/2/2 PTR [...]. (16
> 22:30:40.151412 IP 1.2.3.211.32789 > 200.33.146.222.53: 20837 A? [...]. (52)
> 22:30:40.311401 IP 1.2.3.211.53 > 200.33.146.222.32789: 20837 NXDomain* 0/1/0 (120)
>
> and this policy, in which I don't print out the contents, but have added
> output of the is_orig flag that shows the directionality of the packet:
>
> ----
> global dop = open_log_file("dop") &redef;
>
> event udp_contents(u: connection, is_orig: bool, contents: string){
> local id = u$id;
> print dop, fmt("KDC %s %s %s",id$orig_p,id$resp_p, is_orig);
> }
> ----
>
> I get output from both directions as expected:
>
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
>
> Could validate via is_orig whether you see the right directions, and use
> Bro 1.2.1 for your tests?
>
> On Mon, 2007-01-29 at 14:22 -0600, Mike Dopheide wrote:
>> I'm having a slight problem getting the contents of Kerberos UDP
>> packets. This is my first attempt at Bro so hopefully my error is
>> something simple.
> [...]
>
> Cheers,
> Christian.
More information about the Bro
mailing list