[Bro] Why do I get duplicate new_connection event?
Miles Grun
milesgrun at yahoo.com
Thu Mar 15 18:24:11 PDT 2007
Hi Again,
I would like to post the pcap file (test.1) that caused double new_connection messages. My
previous email contained this file in uuencoded format, however, I have discovered that the email
system somehow substituted @ with `at` in message body.
Since I do not know how to work around this problem and/or post a binary file, I am posting the
fully decoded pcap file instead. I hope somebody can point the reason for double new connection
messages quickly.
Best regards,
$ tcpdump -r test.1 -XX -n
16:05:39.741946 IP 190.84.172.89.2278 > 222.37.1.55.80: S
3585205640:3585205640(0) win 5840 <mss 1460,sackOK,timestamp 4795498 0,nop,wscale 0>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 003c c9e2 4000 4006 26cf be54 ac59 de25 .<.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 e588 0000 0000 a002 .7...P..........
0x0030: 16d0 f608 0000 0204 05b4 0402 080a 0049 ...............I
0x0040: 2c6a 0000 0000 0103 0300 ,j........
16:05:40.081079 IP 222.37.1.55.80 > 190.84.172.89.2278: S
3552369456:3552369456(0) ack 3585205641 win 1460 <mss 1460,sackOK,timestamp
658637388 4795498,nop,wscale 0>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 003c 262b 4000 3606 d486 de25 0137 be54 .<&+ at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc db30 d5b1 e589 a012 .Y.P.....0......
0x0030: 05b4 2e98 0000 0204 05b4 0402 080a 2742 ..............'B
0x0040: 024c 0049 2c6a 0103 0300 .L.I,j....
16:05:40.083354 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 1 win
5840 <nop,nop,timestamp 4795532 658637388>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 c9e3 4000 4006 26d6 be54 ac59 de25 .4.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 e589 d3bc db31 8010 .7...P.......1..
0x0030: 16d0 4c1f 0000 0101 080a 0049 2c8c 2742 ..L........I,.'B
0x0040: 024c .L
16:05:40.090794 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1:626(625)
ack 1 win 5840 <nop,nop,timestamp 4795532 658637388>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 02a5 c9e4 4000 4006 2464 be54 ac59 de25 .... at .@.$d.T.Y.%
0x0020: 0137 08e6 0050 d5b1 e589 d3bc db31 8018 .7...P.......1..
0x0030: 16d0 02ce 0000 0101 080a 0049 2c8c 2742 ...........I,.'B
0x0040: 024c .L
16:05:40.443563 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 626 win
31856 <nop,nop,timestamp 658637423 4795532>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0034 264d 4000 3606 d46c de25 0137 be54 .4&M at .6..l.%.7.T
0x0020: ac59 0050 08e6 d3bc db31 d5b1 e7fa 8010 .Y.P.....1......
0x0030: 7c70 e3ea 0000 0101 080a 2742 026f 0049 |p........'B.o.I
0x0040: 2c8c ,.
16:05:43.331707 IP 222.37.1.55.80 > 190.84.172.89.2278: P 1:206(205)
ack 626 win 31856 <nop,nop,timestamp 658637723 4795532>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0101 26e5 4000 3606 d307 de25 0137 be54 ..&. at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc db31 d5b1 e7fa 8018 .Y.P.....1......
0x0030: 7c70 3e52 0000 0101 080a 2742 039b 0049 |p>R......'B...I
0x0040: 2c8c ,.
16:05:43.334165 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 206 win
6432 <nop,nop,timestamp 4795857 658637723>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 c9e5 4000 4006 26d4 be54 ac59 de25 .4.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 e7fa d3bc dbfe 8010 .7...P..........
0x0030: 1920 43fd 0000 0101 080a 0049 2dd1 2742 ..C........I-.'B
0x0040: 039b ..
16:05:43.478567 IP 190.84.172.89.2278 > 222.37.1.55.80: P 626:1262(636)
ack 206 win 6432 <nop,nop,timestamp 4795871 658637723>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 02b0 c9e6 4000 4006 2457 be54 ac59 de25 .... at .@.$W.T.Y.%
0x0020: 0137 08e6 0050 d5b1 e7fa d3bc dbfe 8018 .7...P..........
0x0030: 1920 7749 0000 0101 080a 0049 2ddf 2742 ..wI.......I-.'B
0x0040: 039b ..
16:05:43.692464 IP 222.37.1.55.80 > 190.84.172.89.2278: P 206:410(204)
ack 1262 win 31856 <nop,nop,timestamp 658637762 4795871>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0100 26fb 4000 3606 d2f2 de25 0137 be54 ..&. at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc dbfe d5b1 ea76 8018 .Y.P.........v..
0x0030: 7c70 00af 0000 0101 080a 2742 03c2 0049 |p........'B...I
0x0040: 2ddf -.
16:05:43.694853 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 410 win
7504 <nop,nop,timestamp 4795893 658637762>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 c9e7 4000 4006 26d2 be54 ac59 de25 .4.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 ea76 d3bc dcca 8010 .7...P...v......
0x0030: 1d50 3c3a 0000 0101 080a 0049 2df5 2742 .P<:.......I-.'B
0x0040: 03c2 ..
16:05:43.838441 IP 190.84.172.89.2278 > 222.37.1.55.80: P
1262:1895(633) ack 410 win 7504 <nop,nop,timestamp 4795907 658637762>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 02ad c9e8 4000 4006 2458 be54 ac59 de25 .... at .@.$X.T.Y.%
0x0020: 0137 08e6 0050 d5b1 ea76 d3bc dcca 8018 .7...P...v......
0x0030: 1d50 5520 0000 0101 080a 0049 2e03 2742 .PU........I..'B
0x0040: 03c2 ..
16:05:44.048642 IP 222.37.1.55.80 > 190.84.172.89.2278: P 410:614(204)
ack 1895 win 31856 <nop,nop,timestamp 658637799 4795907>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0100 2715 4000 3606 d2d8 de25 0137 be54 ..'. at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc dcca d5b1 ecef 8018 .Y.P............
0x0030: 7c70 d64d 0000 0101 080a 2742 03e7 0049 |p.M......'B...I
0x0040: 2e03 ..
16:05:44.051076 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 614 win
8576 <nop,nop,timestamp 4795929 658637799>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 c9e9 4000 4006 26d0 be54 ac59 de25 .4.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 ecef d3bc dd96 8010 .7...P..........
0x0030: 2180 347c 0000 0101 080a 0049 2e19 2742 !.4|.......I..'B
0x0040: 03e7 ..
16:05:51.518485 IP 190.84.172.89.2278 > 222.37.1.55.80: F 1895:1895(0)
ack 614 win 8576 <nop,nop,timestamp 4796676 658637799>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 c9ea 4000 4006 26cf be54 ac59 de25 .4.. at .@.&..T.Y.%
0x0020: 0137 08e6 0050 d5b1 ecef d3bc dd96 8011 .7...P..........
0x0030: 2180 3190 0000 0101 080a 0049 3104 2742 !.1........I1.'B
0x0040: 03e7 ..
16:05:51.835071 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 1896 win
31856 <nop,nop,timestamp 658638566 4796676>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0034 28e0 4000 3606 d1d9 de25 0137 be54 .4(. at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc dd96 d5b1 ecf0 8010 .Y.P............
0x0030: 7c70 d3a0 0000 0101 080a 2742 06e6 0049 |p........'B...I
0x0040: 3104 1.
16:05:51.835299 IP 222.37.1.55.80 > 190.84.172.89.2278: F 614:614(0)
ack 1896 win 31856 <nop,nop,timestamp 658638566 4796676>
0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E.
0x0010: 0034 28e1 4000 3606 d1d8 de25 0137 be54 .4(. at .6....%.7.T
0x0020: ac59 0050 08e6 d3bc dd96 d5b1 ecf0 8011 .Y.P............
0x0030: 7c70 d39f 0000 0101 080a 2742 06e6 0049 |p........'B...I
0x0040: 3104 1.
16:05:51.839189 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 615 win
8576 <nop,nop,timestamp 4796708 658638566>
0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E.
0x0010: 0034 0000 4000 ff06 31b9 be54 ac59 de25 .4.. at ...1..T.Y.%
0x0020: 0137 08e6 0050 d5b1 ecf0 d3bc dd97 8010 .7...P..........
0x0030: 2180 2e70 0000 0101 080a 0049 3124 2742 !..p.......I1$'B
0x0040: 06e6 ..
-
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
More information about the Bro
mailing list