[Bro] Quick question on conn tracking
Seth Hall
seth at icir.org
Wed Sep 28 19:29:16 PDT 2016
> On Sep 28, 2016, at 3:51 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp ssl 0.214346 460 170 S1 T F 0 ShADad 8 884 7 542 (empty) -
>
> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp - 0.016678 31 0 RSTRH T F 0 fDrAr 2 135 3 132 (empty) -
Wow, you're actually seeing 15 minute where there are no packets seen in the connection? I'm surprised that Facebook has such a long timeout on their frontend web servers. I would expect that a timeout that long would actually cause quite a few middle boxes quite a bit of consternation as well. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list