[Bro] High orig_bytes value

Danilo Nicolò dani.nicolo at gmail.com
Thu Sep 8 01:57:05 PDT 2016 

Hello,

Sorry for short information.

I’m using Packet-bricks + Bro (2.5) + Netmap (plugin)



Yesterday I removed Packet-bricks from the chain and the problem was solved.

So in some way packet-bricks will cause that problem in my network
(regurarly).

I was using git version of packet-bricks in this way:



Eth0 --\

Eth1 ------ Merge -> Slot -> LoadBalance ----- Slot -> Bro worker #1

Eth2 ---/                                                             \---
Slot -> Bro worker #2

Eth3 --/



Should I take the orig_ip_bytes instead of orig_bytes to have more
reliability?

Thanks for your suggestions

2016-09-07 21:43 GMT+02:00 Seth Hall <seth at icir.org>:

>
> > On Aug 29, 2016, at 1:01 PM, Danilo Nicolò <dani.nicolo at gmail.com>
> wrote:
> >
> > I'm testing Bro 2.5 beta with netmap, and I noticed this row:
> >
> > {"ts":1472467151.681244,"uid":"CgoIaB3GxSCIEgWea7","id.orig_
> h":"192.168.181.107","id.orig_p":11328,"id.resp_h":"172.16.
> 1.60","id.resp_p":9997,"proto":"tcp","duration":0.362595,"
> orig_bytes":4294967296,"resp_bytes":4294967296,"conn_state"
> :"SF","local_resp":true,"missed_bytes":1168863602,"
> history":"ShAFFff","orig_pkts":7,"orig_ip_bytes":292,"resp_
> pkts":4,"resp_ip_bytes":184,"tunnel_parents":[],"local_
> origi":"T4","local_respo":"T4"}
>
> Unfortunately you haven't given enough information to debug this problem.
> I haven't heard of a problem like this with netmap.
>
> Although, I can say that it would possible to cause a Bro log to look like
> that if two systems on the network were out to mess with you.  Those large
> numbers are calculated by doing tcp sequence ID tracking.  If you look at
> the orig_ip_bytes and resp_ip_bytes fields, you can see those are much
> smaller because they are actually calculated from the byte size of packets
> seen.
>
> Are you seeing this regularly, or was this a one-off?  Are you running
> packet-bricks or lb on top of netmap or do you have Bro connecting to a
> netmap interface directly?  Are you using the netmap libpcap wrappers or
> are you using the netmap plugin?
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/2cf0361f/attachment.html

More information about the Bro mailing list