[Bro] unreported packet loss
David Gugelmann
david.gugelmann at tik.ee.ethz.ch
Sun Jan 5 11:37:03 PST 2014
Hello everybody,
I am quite new to bro, so I am not sure whether I am missing something.
It seems to me that bro (v2.1 and v2.2) does in some cases not report
packet loss.
I discovered this by comparing resp_bytes, resp_ip_bytes and
missed_bytes from conn.log. I found several TCP streams, for which
resp_ip_bytes < resp_bytes but missed_bytes is 0, that is, there are
more TCP-bytes than IP-bytes but at the same time no packet losses,
which seemed strange.
Analyzing the corresponding TCP sequence numbers more in detail, I found
that this seems to be caused by packet loss that is not reflected in
bro's missing_bytes field. Also capture_loss.log did not show any loss.
You can find two example TCP streams, bro's output and Wireshark screen
shots here:
http://people.ee.ethz.ch/~gugdavid/bro_missed_bytes.zip
(Note: This is no real user traffic, these traffic samples have been
automatically generated in a testbed using mechanized Firefox instances.)
Am I missing something or did anybody encounter something similar?
Thank you,
David
More information about the Bro
mailing list