[Bro] Split-ed connection for some UDP traffic?
Seth Hall
seth at corelight.com
Thu Aug 10 04:42:54 PDT 2017
Hi Fatema, I don't see a reply to this message in the mailing list so
I'll give it a shot...
fatema bannatwala wrote:
> 1500927487.398576 CLr9ebnHeAYNOGzei 24.132.204.62 41600
> 128.175.235.216 389 udp - 93.677712 39999 0 S0 F T 0
> D 597 56715 0 0 (empty)
> 1500927487.404591 CapBfs1lhI2XFt4gJb 128.175.235.216 389
> 24.132.204.62 41600 udp - 93.672242 1773687 0 S0 T F
> 0 D 597 1790403 0 0 (empty)
>
> Here, in the above case, shouldn't Bro be logging only a single
> connection with src: 24.132.204.62 and dest: 128.175.235.216, with
> History 'Dd' ? or I might be missing
> something important here :)
Your traffic isn't being load balanced correctly. You have one worker
receiving one flow of the connection and another worker receiving the
other flow of the connection. You can tell because of the two different
"connections" that have the 4-tuple of ports and ip addresses and you
picked up on the "D" instead of "Dd". That just means that traffic was
only seen from the originator which we would expect with mismatched load
balancing.
Are you seeing this sort of behavior with other connections or just this
one single odd-ball connection?
.Seth
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
More information about the Bro
mailing list