[Bro] resp_bytes bug

Kang td66bshwu at gmail.com
Wed Feb 4 16:27:45 PST 2015


Hello.
I've been using Bro a lot lately and recently I've started noticing some 
weird connection sizes.
For instance a single connection may have a resp_bytes of over 1000GB, 
far more than is possible given the circumstances.
Three weirdness notifications seem to pop up along with this error, 
although not always all three at once. They are: SYN_seq_jump, 
SYN_inside_connection, & TCP_ack_underflow_or_misorder.

I've managed to capture an instance of bug happening and have attached 
the dump to this email.
If you run the dump through bro it should show a resp_bytes of almost 
4GB for this connection, despite the capture only being a couple KB.

Could you please help me understand what is happening her and perhaps 
fix the bug?
Thank you
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad.connection.pcap
Type: application/vnd.tcpdump.pcap
Size: 1966 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150205/88038fad/attachment.bin 


More information about the Bro mailing list