[Bro] conn.log - What does cc=1 mean?
Vern Paxson
vern at icir.org
Tue Jul 19 16:32:29 PDT 2011
> 1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ?
> RSTOS0 X cc=1
>
> The 'sent bytes' is "1865279311", which seems awfully high, and received are
> 0.
Yeah, the byte count for RSTOS0 connections is unreliable. The reason is
that RSTOS0 means "the connection originator sent a SYN followed a while
later by a RST, with no SYN-ACK from the other side". In that situation,
Bro's best guess as to the byte count for the connection is the difference
in sequence numbers between the RST and the SYN. *Sometimes* that's correct,
but often there's no particular relationship between those two values, in
which case you get the equivalent of a garbage 32-bit value for the size.
> I believe one of the main factors causing this is damaged PCAPs (limited
> snaplength, possibly dropped packets)
Note, that's probably not what's causing the above. Bro generally detects
damaged PCAPs and refrains from analyzing them. Dropped packets can lead
to some degree of confusion, but RSTOS0 more often means that the originator
either had no luck (responder never answered, and eventually the origiantor
tore down the connection with a RST because of this), and/or the originator
was scanning.
Vern
More information about the Bro
mailing list