[Bro] ip_bytes and pkts not set in conn.log for cropped UDP packets
johanna at icir.org
Fri Oct 14 07:04:33 PDT 2016
> We use bro-2.4.1 to analyze pcap traces with cropped payload.
> This works fine for TCP and ICMP packets, however orig_pkts,
> orig_ip_bytes, resp_pkts and resp_ip_bytes are all set to "0" in
> conn.log for the connections with cropped UDP packets (such as DNS
> packets with a snaplen of 42).
> That is, we end up with a conn.log entry stating that no packets were
> observed for the corresponding connection.
> I assume this is because no application analyzer is started.
Close, but not quite. The ip_pkts, ip_bytes fields are tracked by the
connection size analyzer. Roughly speaking, Bro arranges its analyzers in
a tree structure. The connection size analyzer is started as a child
analyzer of the TCP and the UDP analyzer, meaning it only gets information
about packets that is passed on by these analyzers.
By default, the UDP analyzer does not forward incomplete packets (where
the packet content was not captured due to a small snaplength) to any
child analyzer - including the connection size analyzer.
Changing this behavior requires patching the c++ source - you could try
just removing the if (caplen >= len) check just before ForwardPacket in
UDP.cc -- however, this will probably have other side-effects, because you
now are also forwarding incomplete data to other analyzers who might not
deal too gracefully with them and generate binpac errors - so you only
should do this if you also prevent application layer analyzers from
The current solution here is not quite satisfying - it would probably be
nicer if the connection size analyzer is not a child of tcp/udp, but that
is difficult due to other reasons.
I hope this helps a little bit,
More information about the Bro