[Bro] HTTP not being seen

Liam Randall liam at broala.com
Fri Sep 13 14:23:32 PDT 2013 

How is the data getting to bro?  Span port?  Tap?


On Fri, Sep 13, 2013 at 3:50 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> On 2013-09-13 13:31, Liam Randall wrote:
>
>> Lets enable your capture loss and see what happens:
>>
>>
>> Add the following to your local.bro; on security onion it will be
>> located at /opt/bro/share/bro/site/
>>
>>  # count the ACKs, tell me the # and % I am missing
>> @load misc/capture-loss.bro
>>
>> # By default capture-loss reports every 15 minutes, lets turn it up
>>
>> redef CaptureLoss::watch_interval = 1 min;
>>
>> Give it a couple of minutes and see what the log says under:
>>
>> /nsm/bro/logs/capture_loss.log
>>
>> You will see per worker statistics written every minute.
>>
>> Let us know.
>>
>> Thanks,
>>
>> Liam Randall
>>
>
>
> Thanks Liam...here's what I got:
> #fields ts      ts_delta        peer    gaps    acks    percent_lost
> #types  time    interval        string  count   count   string
> 2013-09-13T13:34:59-0600        60.000084       bro     0       16
>  0.000%
> 2013-09-13T13:35:59-0600        60.000044       bro     0       0
> 0.000%
> 2013-09-13T13:36:59-0600        60.000048       bro     0       14
>  0.000%
> 2013-09-13T13:37:59-0600        60.000048       bro     1       1
> 100.000%
> 2013-09-13T13:38:59-0600        60.000038       bro     0       0
> 0.000%
> 2013-09-13T13:39:59-0600        60.000050       bro     0       0
> 0.000%
> 2013-09-13T13:40:59-0600        60.000093       bro     0       0
> 0.000%
> 2013-09-13T13:41:59-0600        60.000023       bro     0       0
> 0.000%
> 2013-09-13T13:42:59-0600        60.000022       bro     0       0
> 0.000%
> 2013-09-13T13:43:59-0600        60.000023       bro     0       0
> 0.000%
> 2013-09-13T13:44:59-0600        60.000089       bro     0       0
> 0.000%
> 2013-09-13T13:45:59-0600        60.000073       bro     0       0
> 0.000%
> 2013-09-13T13:46:59-0600        60.000011       bro     0       0
> 0.000%
>
> Bro entries:
> 2013-09-13T13:45:33-0600        dPCMEyJBiU7     x.x.x.x    47285
> 50.18.192.250   80      tcp     -       -       -       -       OTH     -
>     0       C       0       0       0       0       (empty)
> 2013-09-13T13:45:33-0600        PFUbImVSSZ2     x.x.x.x    35306
> 205.171.2.25    53      udp     63725   www.duckduckgo.com      1
> C_INTERNET      1       A       0       NOERROR F       F       T       T
>     0       duckduckgo.com,50.18.192.250,50.18.192.251
>  900.000000,25.000000,25.000000
> 2013-09-13T13:45:34-0600        8ZduhgTSjm6     x.x.x.x    37025
> 205.171.2.25    53      udp     35309   duckduckgo.com  1
> C_INTERNET      1       A       0       NOERROR F       F       T       T
>     0       50.18.192.251,50.18.192.250     24.000000,24.000000
> 2013-09-13T13:45:34-0600        dPCMEyJBiU7     x.x.x.x    47285
> 50.18.192.250   80      active_connection_reuse -       F       bro
>
>
> Wget info:
> [13:45:20 gateway:~$] wget www.duckduckgo.com
> --2013-09-13 13:45:33--  http://www.duckduckgo.com/
> Resolving www.duckduckgo.com (www.duckduckgo.com)... 50.18.192.250,
> 50.18.192.251
> Connecting to www.duckduckgo.com (www.duckduckgo.com)|50.18.192.250|:80...
> connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://duckduckgo.com/ [following]
> --2013-09-13 13:45:34--  https://duckduckgo.com/
> Resolving duckduckgo.com (duckduckgo.com)... 50.18.192.251, 50.18.192.250
> Connecting to duckduckgo.com (duckduckgo.com)|50.18.192.251|:443...
> connected.
>
> HTTP request sent, awaiting response... 200 OK
> Length: 8646 (8.4K) [text/html]
> Saving to: `index.html'
>
> 100%[=========================**>] 8,646       --.-K/s   in 0s
>
> 2013-09-13 13:45:34 (86.8 MB/s) - `index.html' saved [8646/8646]
>
>
> Tshark info:
> 2013-09-13 13:45:33.991079 x.x.x.x -> 50.18.192.250 TCP 76 47285 > 80
> [SYN] Seq=0 Win=14520 Len=0 MSS=1452 SACK_PERM=1 TSval=147157135 TSecr=0
> WS=16
> 2013-09-13 13:45:34.035256 50.18.192.250 -> x.x.x.x TCP 76 80 > 47285
> [SYN, ACK] Seq=0 Ack=1 Win=7240 Len=0 MSS=1460 SACK_PERM=1 TSval=23107600
> TSecr=147157135 WS=1
> 2013-09-13 13:45:34.035375 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
> [ACK] Seq=1 Ack=1 Win=14528 Len=0 TSval=147157146 TSecr=23107600
> 2013-09-13 13:45:34.035595 x.x.x.x -> 50.18.192.250 HTTP 186 GET /
> HTTP/1.1
> 2013-09-13 13:45:34.082121 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285
> [ACK] Seq=1 Ack=119 Win=7122 Len=0 TSval=23107612 TSecr=147157146
> 2013-09-13 13:45:34.082132 50.18.192.250 -> x.x.x.x HTTP 503 HTTP/1.1 301
> Moved Permanently  (text/html)
> 2013-09-13 13:45:34.082241 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
> [ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157158 TSecr=23107612
> 2013-09-13 13:45:34.446981 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
> [FIN, ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157249 TSecr=23107612
> 2013-09-13 13:45:34.492112 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285
> [FIN, ACK] Seq=436 Ack=120 Win=7121 Len=0 TSval=23107714 TSecr=147157249
> 2013-09-13 13:45:34.492164 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
> [ACK] Seq=120 Ack=437 Win=15600 Len=0 TSval=147157260 TSecr=23107714
>
> Not sure what to think...it's very strange.  Thanks again.
>
> James
>
>


-- 
Liam Randall
Managing Partner
510-281-0760
www.Broala.com <http://www.broala.com/>
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/1e8d4198/attachment.html

More information about the Bro mailing list