[Bro] conn.log - What does cc=1 mean?

[sridhar basam]

On Tue, Jul 19, 2011 at 2:42 PM, David Vessey <jdvessey at gmail.com> wrote:

> Hello list,
>
> This is my first post - just another network monkey, been playing around
> with bro for the last year or so, writing some custom policy files to try
> and do some large scale analysis.
>
> Can anyone tell me what the "cc=1" means at the end of a line for conn.log
> output?
>
> I'm getting output lines like this:
>
> 1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ?
> RSTOS0 X cc=1
>
> The 'sent bytes' is "1865279311", which seems awfully high, and received
> are 0. A quick survey looks like most entries that have a large byte count
> with sent or received and 0 in the other direction have the state set to
> "RSTOS0" and the flags set to "X cc=1".
>
> I believe one of the main factors causing this is damaged PCAPs (limited
> snaplength, possibly dropped packets). However if I can exclude the damaged
> records, I can still carry on with some analysis.
>
>

I have seen these lines mostly on failed connections (could be either due to
missing packets in the capture file or genuine setup failures). The cc=1 is
from the connection compressor being enabled for this run. There is some
good documentation on what the connection compressor does and what enabling
it means in src/ConnCompressor.cc in the source tree.

I turn off connection compressor for *some* of my analysis since you lose
some information when there are syn retries. Have you looked at some of the
connections which have the cc=1 tag to see if they are just setup failures
or your trace is missing packets or there is something else weird with those
connections?

 Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110719/27ba400d/attachment.html