[Bro] Problem identifying originator in Kerberos connections

Peter Hansen pch66 at cornell.edu
Wed Jul 29 13:38:24 PDT 2015

Hello all,

I have been working with Kerberos in bro for a bit, and a problem I am
consistently having is that for some reason with Kerberos packets, Bro
cannot correctly identify the correct originator IP address in
kerberos.log. It appears that the response packets are having their orig_h
and resp_h values (and corresponding ports) swapped, so all connections
made in the transfer are incorrectly identified as having the same
originating IP address.

Is this a known issue? Am I doing something wrong? Looking at the packets
in wireshark correctly identifies them.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150729/0032984e/attachment.html 

More information about the Bro mailing list