[Bro] TCP retransmissions
anthony kasza
anthony.kasza at gmail.com
Thu Sep 3 15:08:22 PDT 2015
They might be considered new connections if your router and laptop have a
longer connection timeout than Bro. This is a guess.
-AK
On Sep 3, 2015 3:04 PM, "Sven Dreyer" <sven at dreyer-net.de> wrote:
> Dear list,
>
> I stumbled upon a few entries in conn.log that tells me there is an
> incoming connection from an IMAP mailserver (public IP) to my notebook
> computer (private IP, behind NAT).
>
> In fact, I only have outgoing connections from that notebook computer to
> the IMAP server. I can find these in conn.log as well.
>
> Of course I do not have any port forwarding to that notebook computer,
> so I took a tshark trace on the router and waited for another occurance.
>
> According to tshark on the router, there was no incoming connection from
> the IMAP server.
>
> But tshark on the router also revealed some TCP retransmissions from the
> IMAP server to my notebook. Every time tshark sees one of there TCP
> retransmissions, I get an incoming connections in conn.log. I think the
> retransmissions are due to a weak Wifi signal between router and notebook.
>
> Is it possible that TCP retransmissions are classified as new
> connections by bro? Or does anybody have a hint where else to search for
> the reason?
>
> Thanks!
> Sven
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150903/1f8ee5e8/attachment.html
More information about the Bro
mailing list