[Bro] Strange Issue with Live Capture
Andrew Benson
abenson at gmail.com
Mon Jan 26 08:59:50 PST 2015
We're currently using Endace DAG capture cards to feed directly to bro,
snort, and a rolling packet capture.
The network we're currently looking at has a high number of retransmissions
(at one point we counted 45% of traffic being retransmissions).
Bro is currently logging each packet as a separate connection in conn.log,
and is failing to run the protocol analyzers correctly (i.e. it'll detect
it as FTP, but will only log the action, not the login, response).
What's weird is that if I run bro against the rolling pcap, it works
correctly. This problem only occurs when bro is listening to the device
directly.
This problem is still occurring with 2.3.1, so I'm at a loss. I enabled the
capture-loss module, and it's reporting 0%. The capture card doesn't seem
to be dropping anything either.
Seen anything similar or have any suggestions for troubleshooting/fixing?
--
AndrewB
Knowing is Half the Battle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150126/5c0a549b/attachment.html
More information about the Bro
mailing list