[Bro] UDP contents

Mike Dopheide dopheide at ncsa.uiuc.edu
Mon Jan 29 17:06:59 PST 2007 

I've upgraded to Bro 1.2.1 and here are four packets that correspond to 
a DNS request and the kerberos request:

18:15:49.693120 IP 141.142.222.33.32909 > 141.142.2.2.domain:  24696+ 
SRV? _kerberos-master._tcp.NCSA.EDU. (48)
18:15:49.693493 IP 141.142.2.2.domain > 141.142.222.33.32909:  24696 
NXDomain* 0/1/0 (105)
18:15:49.693545 IP 141.142.222.33.32909 > 141.142.3.16.kerberos:  v5
18:15:49.694244 IP 141.142.3.16.kerberos > 141.142.222.33.32909:

And my bro output:

32909/udp 53/udp F
32909/udp 88/udp F

In this case, 141.142.222.33 is the local client where bro is running. 
Interestingly enough, I did a tcpdump from two other clients.  One in 
the same building gave similar results, one in the building with the 
kerberos server gave me the results we should expect:

36209/udp 53/udp T
36209/udp 53/udp F
36209/udp 88/udp T
36209/udp 88/udp F

Now might be a good time to mention that I also see these messages 
locally, but I had always assumed they were unrelated and due to other 
local traffic:

1170117967.140200 weird: bad_UDP_checksum
1170117967.140751 weird: bad_UDP_checksum
1170117967.141191 weird: bad_UDP_checksum
1170117967.142015 weird: bad_TCP_checksum
1170117967.142807 weird: bad_TCP_checksum

So..  my current theory is there's something screwy with our local 
network and I intend to find out what's causing it.  I'll let you know 
when I do.  This UDP traffic 'works' so I think Bro should be detecting 
it regardless of whether some networking equipment might be mangling the 
packets a bit.

-Mike

Christian Kreibich wrote:
> Hi Mike,
> 
> it doesn't look like you're doing anything wrong. However, I've just
> tried dumping some UDP contents with Bro 1.2.1 and it works fine, so we
> need to figure out why it's not working for you.
> 
> I have this traffic:
> 
> 22:26:10.089582 IP 1.2.3.211.53 > 200.33.146.222.32789:  3628*- 1/4/4 PTR [...]. (245)
> 22:26:10.089582 IP 1.2.3.211.32789 > 200.33.146.222.53:  18275 A? [...]. (44)
> 22:26:10.229573 IP 1.2.3.211.53 > 200.33.146.222.32789:  18275*- 1/3/3 A [...] (187)
> 22:30:39.981424 IP 1.2.3.211.32789 > 200.33.146.222.53:  36142 PTR? [...]. (44)
> 22:30:40.141413 IP 1.2.3.211.53 > 200.33.146.222.32789:  36142* 1/2/2 PTR [...]. (16
> 22:30:40.151412 IP 1.2.3.211.32789 > 200.33.146.222.53:  20837 A? [...]. (52)
> 22:30:40.311401 IP 1.2.3.211.53 > 200.33.146.222.32789:  20837 NXDomain* 0/1/0 (120)
> 
> and this policy, in which I don't print out the contents, but have added
> output of the is_orig flag that shows the directionality of the packet:
> 
> ----
> global dop = open_log_file("dop") &redef;
> 
> event udp_contents(u: connection, is_orig: bool, contents: string){
>   local id = u$id;
>   print dop, fmt("KDC %s %s %s",id$orig_p,id$resp_p, is_orig);
> }
> ----
> 
> I get output from both directions as expected:
> 
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
> KDC 32789/udp 53/udp T
> KDC 32789/udp 53/udp F
> 
> Could validate via is_orig whether you see the right directions, and use
> Bro 1.2.1 for your tests?
> 
> On Mon, 2007-01-29 at 14:22 -0600, Mike Dopheide wrote:
>> I'm having a slight problem getting the contents of Kerberos UDP 
>> packets.  This is my first attempt at Bro so hopefully my error is 
>> something simple.
> [...]
> 
> Cheers,
> Christian.

More information about the Bro mailing list