[Bro] pcap replay issue
Seth Hall
seth at icir.org
Mon Nov 16 06:39:55 PST 2015
> On Nov 14, 2015, at 5:15 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>
> I am try to replay small ssl pcap and have bro analyze the packets. When I do tcpreplay on the pcap, the first time I see five ssl connections in bro ssl log. When I replay same pcap within a minute or so of the first replay, then I only see 3 connections. If I give a gap of say 5mins between the replays, then I see 5 connections in the 2nd replay too.
I haven’t looked at your pcap, but from what you are saying and from looking at your weird.log it appears that your connections with the ephemeral ports 54169 and 54167 aren’t being shutdown correctly. Make sure they have correct tcp shutdown sequences (FINs or RSTs, etc). You are seeing things correctly after 5 minutes because that’s Bro’s default TCP timeout.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list