[Bro] Duplication of packets and UID's

Seth Hall seth at icir.org
Thu May 1 11:03:59 PDT 2014

On May 1, 2014, at 1:05 PM, nate <nate at nullbyte.net> wrote:

> 1. Why are lines 837 & 838 duplicates of each other, with different time stamps?

I believe this might be a bug that we have fixed in the upcoming 2.3 release.  We did some DNS script refactoring.  It's a surprisingly hard protocol to get just right.

> 2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 1133), with the same timestamps?

I suspect that's the same bug expressing itself again.

> 3. Why do both sections of packets, 10 seconds apart, have the same UID?

Because it's UDP. :)  Bro creates mock "connections" for UDP and the client in this case was using the same ephemeral port for multiple queries so they showed up as part of the same "connection". (all quotes very deliberate).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/44a1a2bd/attachment.bin 

More information about the Bro mailing list