[Bro] TCP handshake

Robin Sommer robin at icir.org
Thu Jan 6 08:35:46 PST 2011


On Thu, Jan 06, 2011 at 17:39 +0900, you wrote:

> We think that it may affect short connections. For example, the pcap file
> can contain a syn-ack with a timestamp before the first SYN packet.

Yes, Bro will have trouble with that. It assumes that it sees 
packets in the order they were on the wire and if that's not the
case, results are not really predictable. If the problem were just
packets not sorted in terms of their timestamps, you could use Bro's
"packet sorter" feature to get them into the right order, but it
sounds like here them timestamps themselves are already off. It's
worth trying hard to avoid that at the point where packets are
captured.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list