[Bro] linking a wrong_fragment event to a connection

Veronica Estrada estrada.veronica at gmail.com
Thu Mar 11 03:22:54 PST 2010


Hello everyone,

I ask this topic again trying to clarify my questions (and my English). I
want to  associate a summary of wrong fragments to the corresponding line in
the connection summary.
I made a script to count the different fragment problems trigger by
flow_weird event.

How can I know which connection has generated that wrong fragment event? The
wrong fragment event only logs src, dst and network_time. This is not enough
to link the fragment to a connection inside connection summary.

1247652196.907274 src_ip -> dst_ip: fragment_with_DF


By the way, I read about active and passive timeouts on connections
("Flow-based TCP Connection Analysis" by Limmer and Dressler).
I don´t understand how this topic is treated in BRO. I found only one type
of timeout (TCP_inactivity_timeout). Is this timeout the active timeout? Can
I tune a passive timeout? Maybe I am missing others user tunable timeouts
that can affect my results.

Maybe I am getting into the details of bro design, I want to understand what
I am doing, and what I shouldn´t do to get the wrong fragment count inside
the conn.bro file.

Veronica Estrada
Nakao Laboratory
The University of Tokyo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100311/0d75ded2/attachment.html 


More information about the Bro mailing list