[Bro] TCP handshake

Veronica Estrada estrada.veronica at gmail.com
Sat Jan 8 03:08:30 PST 2011


Thank you!
I done some metrics, and the problem is confined to just a few cases with
fast handshake process. There also some other rare cases maybe more related
to anomalies on the net (crud).
V.E.


On Fri, Jan 7, 2011 at 1:35 AM, Robin Sommer <robin at icir.org> wrote:

>
> On Thu, Jan 06, 2011 at 17:39 +0900, you wrote:
>
> > We think that it may affect short connections. For example, the pcap file
> > can contain a syn-ack with a timestamp before the first SYN packet.
>
> Yes, Bro will have trouble with that. It assumes that it sees
> packets in the order they were on the wire and if that's not the
> case, results are not really predictable. If the problem were just
> packets not sorted in terms of their timestamps, you could use Bro's
> "packet sorter" feature to get them into the right order, but it
> sounds like here them timestamps themselves are already off. It's
> worth trying hard to avoid that at the point where packets are
> captured.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110108/be788990/attachment.html 


More information about the Bro mailing list