[Bro] linking a wrong_fragment event to a connection

[Vern Paxson]

> How can I know which connection has generated that wrong fragment event?

In general you can't.  Most individual fragments do not possess transport
headers, so there is no well-defined connection associated with them.
*If* the fragment is part of a whole collection, then you can locate the
transport header at the beginning of the collection and use its ports -
but Bro may not have even seen this first part yet.  So it only reports
the involved hosts.  (It also could in principle report ports if the
problematic fragment happens to be the first *and* includes a full transport
header [which it doesn't have to], but Bro doesn't go out of its way to
do the extra work in this case.)

> By the way, I read about active and passive timeouts on connections
> ("Flow-based TCP Connection Analysis" by Limmer and Dressler).
> I don't understand how this topic is treated in BRO.

You'll need to explain how those timeouts are defined in that paper for
others to be able to comment on how Bro's connection timeouts relate to them.

		Vern