[Bro] resp_bytes bug
Kang
td66bshwu at gmail.com
Wed Feb 4 16:27:45 PST 2015
Hello.
I've been using Bro a lot lately and recently I've started noticing some
weird connection sizes.
For instance a single connection may have a resp_bytes of over 1000GB,
far more than is possible given the circumstances.
Three weirdness notifications seem to pop up along with this error,
although not always all three at once. They are: SYN_seq_jump,
SYN_inside_connection, & TCP_ack_underflow_or_misorder.
I've managed to capture an instance of bug happening and have attached
the dump to this email.
If you run the dump through bro it should show a resp_bytes of almost
4GB for this connection, despite the capture only being a couple KB.
Could you please help me understand what is happening her and perhaps
fix the bug?
Thank you
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad.connection.pcap
Type: application/vnd.tcpdump.pcap
Size: 1966 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150205/88038fad/attachment.bin
More information about the Bro
mailing list