[Bro] Problem with connections in S1 and SF state
Sven Dreyer
sven at dreyer-net.de
Thu Nov 19 08:21:57 PST 2015
Justin, thanks for the hint. I should indeed have checked the history field.
But even for connections that do not start with d or D in the history
field, I see the same behaviour. Source and destination is still twisted:
1447675087.121817 CjRCD61gNErucciPb8 87.144.16.xxx 50993
192.168.100.yyy 26577 tcp ssl 83.596659 1432 2619 S1
F T 0 ShADad 18 2164 15 3231 (empty)
Bro is configured to listen to a bridge interface (br0). But I also have
running a dumpcap process writing all packets to pcap files.
Interestingly, if I feed the corresponding pcap file to bro (bro -r
file.pcap), I get source and destination in the right order:
1447675087.121817 C2AvJf3WgcdiBlYfS4 192.168.100.yyy 26577
87.144.16.xxx 50993 tcp ssl 83.596659 1432 2619 S1
- - 0 ShADad 18 2164 15 3231 (empty)
Does anybody have an explanation for this?
Thanks,
Sven
Am 17.11.2015 um 21:53 schrieb Azoff, Justin S:
> You should really be looking at the history field:
>
> history: string &log &optional
> Records the state history of connections as a string of letters. The meaning of those letters is:
>
> Letter Meaning
> s a SYN w/o the ACK bit set
> h a SYN+ACK (“handshake”)
> a a pure ACK
> d packet with payload (“data”)
> f packet with FIN bit set
> r packet with RST bit set
> c packet with a bad checksum
> i inconsistent packet (e.g. SYN+RST bits both set)
> If the event comes from the originator, the letter is in upper-case; if it comes from the responder, it’s in lower-case. Multiple packets of the same type will only be noted once (e.g. we only record one “d” in each direction, regardless of how many data packets were seen.)
>
> So any connection that starts with D or d means bro missed the initial syn handshake (Sh)
>
>
More information about the Bro
mailing list