[Bro] bro bug? - unreported packet loss
David Gugelmann
david.gugelmann at tik.ee.ethz.ch
Mon Jan 20 13:23:31 PST 2014
Hello everybody,
sorry for bothering you again. As I posted two weeks ago (see below), it
seems to me that bro sometimes does not report packet loss in TCP
connections (missed_bytes in conn.log is 0 even though there are packets
missing).
These are two examples for such connections:
1331764471.664131 CJukZE3ew98dfK4qAd 192.168.122.230 60648
77.238.160.184 80 tcp - 10.048360 538 2902 SF - 0 ShADafF
5 750 4 172 (empty)
1331765540.407398 CpZaKz4sihR23hO2a6 192.168.122.203 64860
94.245.68.169 80 tcp - 6.424619 1270 10052 SF - 0
ShAaDdfF 8 1602 9 6198 (empty)
You can find the corresponding pcap files and additional information here:
http://people.ee.ethz.ch/~gugdavid/bro_missed_bytes.zip
Am I missing something or did anybody encounter something similar?
Thank you,
David
-------- Original Message --------
Subject: [Bro] unreported packet loss
Date: Sun, 05 Jan 2014 20:37:03 +0100
From: David Gugelmann <david.gugelmann at tik.ee.ethz.ch>
To: bro at bro.org
Hello everybody,
I am quite new to bro, so I am not sure whether I am missing something.
It seems to me that bro (v2.1 and v2.2) does in some cases not report
packet loss.
I discovered this by comparing resp_bytes, resp_ip_bytes and
missed_bytes from conn.log. I found several TCP streams, for which
resp_ip_bytes < resp_bytes but missed_bytes is 0, that is, there are
more TCP-bytes than IP-bytes but at the same time no packet losses,
which seemed strange.
Analyzing the corresponding TCP sequence numbers more in detail, I found
that this seems to be caused by packet loss that is not reflected in
bro's missing_bytes field. Also capture_loss.log did not show any loss.
You can find two example TCP streams, bro's output and Wireshark screen
shots here:
http://people.ee.ethz.ch/~gugdavid/bro_missed_bytes.zip
(Note: This is no real user traffic, these traffic samples have been
automatically generated in a testbed using mechanized Firefox instances.)
Am I missing something or did anybody encounter something similar?
Thank you,
David
More information about the Bro
mailing list