[Bro] HTTP not being seen

James Lay jlay at slave-tothe-box.net
Fri Sep 13 12:50:12 PDT 2013 

On 2013-09-13 13:31, Liam Randall wrote:
> Lets enable your capture loss and see what happens:
>
> Add the following to your local.bro; on security onion it will be
> located at /opt/bro/share/bro/site/
>
>  # count the ACKs, tell me the # and % I am missing
> @load misc/capture-loss.bro
>
> # By default capture-loss reports every 15 minutes, lets turn it up
> redef CaptureLoss::watch_interval = 1 min;
>
> Give it a couple of minutes and see what the log says under:
>
> /nsm/bro/logs/capture_loss.log
>
> You will see per worker statistics written every minute.
>
> Let us know.
>
> Thanks,
>
> Liam Randall


Thanks Liam...here's what I got:
#fields ts      ts_delta        peer    gaps    acks    percent_lost
#types  time    interval        string  count   count   string
2013-09-13T13:34:59-0600        60.000084       bro     0       16      
0.000%
2013-09-13T13:35:59-0600        60.000044       bro     0       0       
0.000%
2013-09-13T13:36:59-0600        60.000048       bro     0       14      
0.000%
2013-09-13T13:37:59-0600        60.000048       bro     1       1       
100.000%
2013-09-13T13:38:59-0600        60.000038       bro     0       0       
0.000%
2013-09-13T13:39:59-0600        60.000050       bro     0       0       
0.000%
2013-09-13T13:40:59-0600        60.000093       bro     0       0       
0.000%
2013-09-13T13:41:59-0600        60.000023       bro     0       0       
0.000%
2013-09-13T13:42:59-0600        60.000022       bro     0       0       
0.000%
2013-09-13T13:43:59-0600        60.000023       bro     0       0       
0.000%
2013-09-13T13:44:59-0600        60.000089       bro     0       0       
0.000%
2013-09-13T13:45:59-0600        60.000073       bro     0       0       
0.000%
2013-09-13T13:46:59-0600        60.000011       bro     0       0       
0.000%

Bro entries:
2013-09-13T13:45:33-0600        dPCMEyJBiU7     x.x.x.x    47285   
50.18.192.250   80      tcp     -       -       -       -       OTH     
-       0       C       0       0       0       0       (empty)
2013-09-13T13:45:33-0600        PFUbImVSSZ2     x.x.x.x    35306   
205.171.2.25    53      udp     63725   www.duckduckgo.com      1       
C_INTERNET      1       A       0       NOERROR F       F       T       
T       0       duckduckgo.com,50.18.192.250,50.18.192.251      
900.000000,25.000000,25.000000
2013-09-13T13:45:34-0600        8ZduhgTSjm6     x.x.x.x    37025   
205.171.2.25    53      udp     35309   duckduckgo.com  1       
C_INTERNET      1       A       0       NOERROR F       F       T       
T       0       50.18.192.251,50.18.192.250     24.000000,24.000000
2013-09-13T13:45:34-0600        dPCMEyJBiU7     x.x.x.x    47285   
50.18.192.250   80      active_connection_reuse -       F       bro


Wget info:
[13:45:20 gateway:~$] wget www.duckduckgo.com
--2013-09-13 13:45:33--  http://www.duckduckgo.com/
Resolving www.duckduckgo.com (www.duckduckgo.com)... 50.18.192.250, 
50.18.192.251
Connecting to www.duckduckgo.com 
(www.duckduckgo.com)|50.18.192.250|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://duckduckgo.com/ [following]
--2013-09-13 13:45:34--  https://duckduckgo.com/
Resolving duckduckgo.com (duckduckgo.com)... 50.18.192.251, 
50.18.192.250
Connecting to duckduckgo.com (duckduckgo.com)|50.18.192.251|:443... 
connected.
HTTP request sent, awaiting response... 200 OK
Length: 8646 (8.4K) [text/html]
Saving to: `index.html'

100%[=========================>] 8,646       --.-K/s   in 0s

2013-09-13 13:45:34 (86.8 MB/s) - `index.html' saved [8646/8646]


Tshark info:
2013-09-13 13:45:33.991079 x.x.x.x -> 50.18.192.250 TCP 76 47285 > 80 
[SYN] Seq=0 Win=14520 Len=0 MSS=1452 SACK_PERM=1 TSval=147157135 TSecr=0 
WS=16
2013-09-13 13:45:34.035256 50.18.192.250 -> x.x.x.x TCP 76 80 > 47285 
[SYN, ACK] Seq=0 Ack=1 Win=7240 Len=0 MSS=1460 SACK_PERM=1 
TSval=23107600 TSecr=147157135 WS=1
2013-09-13 13:45:34.035375 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
[ACK] Seq=1 Ack=1 Win=14528 Len=0 TSval=147157146 TSecr=23107600
2013-09-13 13:45:34.035595 x.x.x.x -> 50.18.192.250 HTTP 186 GET / 
HTTP/1.1
2013-09-13 13:45:34.082121 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285 
[ACK] Seq=1 Ack=119 Win=7122 Len=0 TSval=23107612 TSecr=147157146
2013-09-13 13:45:34.082132 50.18.192.250 -> x.x.x.x HTTP 503 HTTP/1.1 
301 Moved Permanently  (text/html)
2013-09-13 13:45:34.082241 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
[ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157158 TSecr=23107612
2013-09-13 13:45:34.446981 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
[FIN, ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157249 
TSecr=23107612
2013-09-13 13:45:34.492112 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285 
[FIN, ACK] Seq=436 Ack=120 Win=7121 Len=0 TSval=23107714 TSecr=147157249
2013-09-13 13:45:34.492164 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
[ACK] Seq=120 Ack=437 Win=15600 Len=0 TSval=147157260 TSecr=23107714

Not sure what to think...it's very strange.  Thanks again.

James

More information about the Bro mailing list