[Bro] weird.log help
Josh Guild
josh.guild at morphick.com
Fri Apr 15 05:35:19 PDT 2016
Thanks, Dan, I'll look into this.
When I analyze the pcap in Wireshark I see a lot of "port reuse" errors as
well which I think it indicative of this as well.
On Thu, Apr 14, 2016 at 6:07 PM, Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:
> I don’t know your situation but this looks like reordering problem. All
> tools expect a time order.
>
> Timeout increase might help.
>
> On 14 Apr 2016, at 22:18, Josh Guild <josh.guild at morphick.com> wrote:
>
> Howdy all,
>
> I'm trying to debug some traffic that is coming off an aggregator right
> now. I was pointed to this helpful set of slides from Vlad on how to
> troubleshoot and verify a network (
> https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting
> ).
>
> Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps
> throughput, I've noticed these entries in the weird.log (top 10 or so).
>
> 5454 line_terminated_with_single_CR
> 4012 above_hole_data_without_any_acks
> 2827 TCP_ack_underflow_or_misorder
> 2601 SYN_seq_jump
> 2395 TCP_seq_underflow_or_misorder
> 2192 FIN_advanced_last_seq
> 1330 HTTP_version_mismatch
> 570 bad_HTTP_request
> 333 unescaped_special_URI_char
> 205 window_recision
> 151 dns_unmatched_msg
>
> Now my questions are these - 1) That seems like a lot of errors for a
> small sample set but I don't have a reference point for a network of this
> size. Does anyone else have an equivalent network that they could sanity
> check for me? 2) Is there a good reference for these weird.log entries that
> I can look at to try to pin down what is going wrong in the network? I'm
> particularly interested in the HTTP_version_mismatch and a few other that
> Vlad mentioned in his presentation.
>
> The main reason I'm interested in the details on HTTP_version_mismatch is
> because I have two pcaps from two separate ports off the aggregator and,
> for some reason, one is showing as HTTP2 (but only in the OSX version of
> Wireshark) and Bro can't read pcap properly. The other pcap is read just
> fine.
>
> Sorry for the wall of text but if anyone can point me in the right
> direction, I'd be much obliged. Thanks!
>
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160415/68c8b42b/attachment-0001.html
More information about the Bro
mailing list