[Bro] Load Balancers
Bill Jones
bill.jones at syntervision.com
Sat Feb 6 11:04:15 PST 2010
Justin,
Thanks for the response. I do actually see a "Connection:
Keep-Alive\r\n" in the GET packet. From this, can I assume that a
persistent connection is being held, thus the confusion by bro?
If so, do you have any ideas or suggestions on how I can get the HTTP
analyzer to still process these as if the connection had been
established normally?
Regards,
Bill
On Sat, Feb 6, 2010 at 1:51 PM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
> On Sat, Feb 06, 2010 at 01:12:36PM -0500, Bill Jones wrote:
>> That's what I'm finding strange. After running a tcpdump capture on
>> the interface and analyzing it with Wireshark, I do not see any 3-way
>> handshakes for this particular web application. For any HTTP GET that
>> I see in Wireshark that pertains to this application, when I "Follow
>> TCP Stream", the first entry in Wireshark is always the GET message
>> itself. For all other applications on the network, doing the above
>> results in the first entry being the SYN.
>
> Just to make sure this isn't it, what bpf filter if any are you using with
> tcpdump and bro?
>
> If it's not the filter, the only thing I can think of is that the load balancer
> is opening a persistent (http/1.1 keep-alive) connection to the backend servers.
>
> I don't know how common that sort of thing is, but it would be easy to check
> for, you would see the http/1.1 connection: header in the GET request..
>
> you could also see if tcpdump sees a 3-way handshake if you restart one of the
> webservers.
>
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst
>
More information about the Bro
mailing list