[Bro] Why do I get duplicate new_connection event?

Miles Grun milesgrun at yahoo.com
Thu Mar 15 15:01:37 PDT 2007 

Thanks for quick response. I was believing (but I may 
 be wrong) this is because only the first 64 bytes of
the packets exist in this pcap file. Here is test.1
(uuencoded). I also attach it to this email. 

regards,

begin 644 test.1
MU,.RH0(`!````````````)`````!````H]T//#I2"P!*````3@```"%,M\VB
MH``P9=5>"`@`10``/,GB0`!`!B;/OE2L6=XE`3<(Y@!0U;'EB`````"@`A;0
M]@@```($!;0$`@@*`$DL:@`````!`P,`I-T//+<\`0!*````3@```"%,M\VB
MH`@`*YZ(F0@`10``/"8K0``V!M2&WB4!-[Y4K%D`4`CFT[S;,-6QY8F@$@6T
M+I@```($!;0$`@@*)T("3`!)+&H!`P,`I-T//)I%`0!"````3@```"%,M\VB
MH``P9=5>"`@`10``-,GC0`!`!B;6OE2L6=XE`3<(Y@!0U;'EB=.\VS&`$!;0
M3!\```$!"`H`22R,)T("3*3=#SRJ8@$`0@```+<"```A3+?-HJ``,&757@@(
M`$4``J7)Y$``0`8D9+Y4K%G>)0$W".8`4-6QY8G3O-LQ@!@6T`+.```!`0@*
M`$DLC"="`DRDW0\\J\0&`$(```!&````(4RWS:*@"``KGHB9"`!%```T)DU`
M`#8&U&S>)0$WOE2L60!0".;3O-LQU;'G^H`0?'#CZ@```0$("B="`F\`22R,
MI]T//+L/!0!"````$P$``"%,M\VBH`@`*YZ(F0@`10`!`2;E0``V!M,'WB4!
M-[Y4K%D`4`CFT[S;,=6QY_J`&'QP/E(```$!"`HG0 at .;`$DLC*?=#SQ5&04`
M0@```$X````A3+?-HJ``,&757@@(`$4``#3)Y4``0`8FU+Y4K%G>)0$W".8`
M4-6QY_K3O-O^@!`9($/]```!`0@*`$DMT2="`YNGW0\\9TT'`$(```#"`@``
M(4RWS:*@`#!EU5X("`!%``*PR>9``$`&)%>^5*Q9WB4!-PCF`%#5L>?ZT[S;
M_H`8&2!W20```0$("@!)+=\G0 at .;I]T///"0"@!"````$@$``"%,M\VBH`@`
M*YZ(F0@`10`!`";[0``V!M+RWB4!-[Y4K%D`4`CFT[S;_M6QZG:`&'QP`*\`
M``$!"`HG0@/"`$DMWZ?=#SQ%F at H`0@```$X````A3+?-HJ``,&757@@(`$4`
M`#3)YT``0`8FTKY4K%G>)0$W".8`4-6QZG;3O-S*@!`=4#PZ```!`0@*`$DM
M]2="`\*GW0\\*<L,`$(```"_`@``(4RWS:*@`#!EU5X("`!%``*MR>A``$`&
M)%B^5*Q9WB4!-PCF`%#5L>IVT[S<RH`8'5!5(````0$("@!)+@,G0@/"J-T/
M/`*^``!"````$@$``"%,M\VBH`@`*YZ(F0@`10`!`"<50``V!M+8WB4!-[Y4
MK%D`4`CFT[S<RM6Q[.^`&'QPUDT```$!"`HG0@/G`$DN`ZC=#SR$QP``0@``
M`$X````A3+?-HJ``,&757@@(`$4``#3)Z4``0`8FT+Y4K%G>)0$W".8`4-6Q
M[._3O-V6@!`A@#1\```!`0@*`$DN&2="`^>OW0\\5>D'`$(```!.````(4RW
MS:*@`#!EU5X("`!%```TR>I``$`&)L^^5*Q9WB4!-PCF`%#5L>SOT[S=EH`1
M(8`QD````0$("@!),00G0@/GK]T///^]#`!"````1@```"%,M\VBH`@`*YZ(
MF0@`10``-"C at 0``V!M'9WB4!-[Y4K%D`4`CFT[S=EM6Q[/"`$'QPTZ````$!
M"`HG0@;F`$DQ!*_=#SSCO at P`0@```$8````A3+?-HJ`(`"N>B)D(`$4``#0H
MX4``-@;1V-XE`3>^5*Q9`%`(YM.\W9;5L>SP@!%\<-.?```!`0@*)T(&Y@!)
M,02OW0\\%<X,`$(```!.````(4RWS:*@`#!EU5X("`!%```T``!``/\&,;F^
G5*Q9WB4!-PCF`%#5L>SPT[S=EX`0(8`N<````0$("@!),20G0@;F
`
end


--- Christian Kreibich <christian at whoop.org> wrote:

> Hi,
> 
> it's not clear to me why you see an additional
> new_connection event, but
> I also don't understand why you apparently encounter
> content gaps,
> because (after just eyeballing) I don't see any.
> Would you mind sending
> that trace?
> 
> ps: it's a good idea to turn off linewrapping in
> your mailer when
> sending log output.
> 
> Cheers,
> Christian
> -- 
>
________________________________________________________________________
>                                           
> http://www.icir.org/christian
>                                                    
> http://www.whoop.org
> 
> 



 
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.1
Type: application/octet-stream
Size: 1434 bytes
Desc: pat569700682
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070315/9d3c09b3/attachment.obj

More information about the Bro mailing list