[Bro] Why do I get duplicate new_connection event?

miles grun milesgrun at yahoo.com
Thu Mar 15 10:47:04 PDT 2007


Hi,
   
  I am quite new in Bro. I have been experimenting
with it for a couple of days by now, and couldn't
figure out the reason for the problem below (I went
through the archives as much as I can but nothing
popped up). 
   
  I am running the following simple bro script on the
test data using the steps below:
   
  $cat a.bro
@load weird
  
event new_connection(c: connection)
{
   print fmt("new connection=%s",c);
}
   
   
  $tcpdump -r test.1 -n -tt
reading from file test.1, link-type EN10MB (Ethernet)
1007672739.741946 IP 190.84.172.89.2278 >
222.37.1.55.80: S 3585205640:3585205640(0) win 5840
<mss 1460,sackOK,timestamp 4795498 0,nop,wscale 0>
1007672740.081079 IP 222.37.1.55.80 >
190.84.172.89.2278: S 3552369456:3552369456(0) ack
3585205641 win 1460 <mss 1460,sackOK,timestamp
658637388 4795498,nop,wscale 0>
1007672740.083354 IP 190.84.172.89.2278 >
222.37.1.55.80: . ack 1 win 5840 <nop,nop,timestamp
4795532 658637388>
1007672740.090794 IP 190.84.172.89.2278 >
222.37.1.55.80: P 1:626(625) ack 1 win 5840
<nop,nop,timestamp 4795532 658637388>
1007672740.443563 IP 222.37.1.55.80 >
190.84.172.89.2278: . ack 626 win 31856
<nop,nop,timestamp 658637423 4795532>
1007672743.331707 IP 222.37.1.55.80 >
190.84.172.89.2278: P 1:206(205) ack 626 win 31856
<nop,nop,timestamp 658637723 4795532>
1007672743.334165 IP 190.84.172.89.2278 >
222.37.1.55.80: . ack 206 win 6432 <nop,nop,timestamp
4795857 658637723>
1007672743.478567 IP 190.84.172.89.2278 >
222.37.1.55.80: P 626:1262(636) ack 206 win 6432
<nop,nop,timestamp 4795871 658637723>
1007672743.692464 IP 222.37.1.55.80 >
190.84.172.89.2278: P 206:410(204) ack 1262 win 31856
<nop,nop,timestamp 658637762 4795871>
1007672743.694853 IP 190.84.172.89.2278 >
222.37.1.55.80: . ack 410 win 7504 <nop,nop,timestamp
4795893 658637762>
1007672743.838441 IP 190.84.172.89.2278 >
222.37.1.55.80: P 1262:1895(633) ack 410 win 7504
<nop,nop,timestamp 4795907 658637762>
1007672744.048642 IP 222.37.1.55.80 >
190.84.172.89.2278: P 410:614(204) ack 1895 win 31856
<nop,nop,timestamp 658637799 4795907>
1007672744.051076 IP 190.84.172.89.2278 >
222.37.1.55.80: . ack 614 win 8576 <nop,nop,timestamp
4795929 658637799>
1007672751.518485 IP 190.84.172.89.2278 >
222.37.1.55.80: F 1895:1895(0) ack 614 win 8576
<nop,nop,timestamp 4796676 658637799>
1007672751.835071 IP 222.37.1.55.80 >
190.84.172.89.2278: . ack 1896 win 31856
<nop,nop,timestamp 658638566 4796676>
1007672751.835299 IP 222.37.1.55.80 >
190.84.172.89.2278: F 614:614(0) ack 1896 win 31856
<nop,nop,timestamp 658638566 4796676>
1007672751.839189 IP 190.84.172.89.2278 >
222.37.1.55.80: . ack 615 win 8576 <nop,nop,timestamp
4796708 658638566>

   
  $bro -r test.1 ./a.bro 
new connection=[id=[orig_h=190.84.172.89,
orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp],
orig=[size=0, state=1], resp=[size=0, state=0],
start_time=1007672739.74195, duration=0.0, service=,
addl=cc=1, hot=0, history=]

(I REMOVED HTTP CONTENT GAP EVENTS FOR CONCISENESS)

new connection=[id=[orig_h=190.84.172.89,
orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp],
orig=[size=0, state=0], resp=[size=0, state=0],
start_time=1007672751.83919, duration=0.0, service=,
addl=, hot=0, history=]
$

   
  From the timestamp, it looks to me that the second
new connection is triggered by the last ACK. But this
ACK is the ACK of the FIN packet from server, so we
should not receive a second new_connection event. Is
there anything I am missing here, or is it the
expected behavior? 

Note: I am using bro-1.2.1 and did not change anything
in the policy directory.
   
  Thanks for all your time,


 
____________________________________________________________________________________
Finding fabulous fares is fun.  
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.
http://farechase.yahoo.com/promo-generic-14795097



More information about the Bro mailing list