[Bro] A strange connection
Seth Hall
seth at icir.org
Wed Jan 28 12:39:41 PST 2015
> On Jan 26, 2015, at 10:22 AM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>
> If there are duplicated packets due to packet retransmission, will orig_ip_bytes and resp_ip_bytes
> be still correct (I mean the bytes may be counted more than once)? If not, what are the reliable fields to
> derive the transmitted bytes (not counting duplicated ones)? Thanks.
It’s the (orig/resp)_bytes field as you suspect. Something happened in this connection that tricked Bro’s sequence id tracking which caused the larger numbers in those fields. If you find it again and are able to capture a pcap of it, we’d be interested in seeing it.
Thanks,
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list