[Bro] TCP reassembly question [Port Traffic Mirroring]

Alkene Pan alkenepan at gmail.com
Fri Aug 18 00:21:53 PDT 2017


I encountered a tcp reassembly problem, that begets the bro parse the tcp
stream fail. Sincere search for solutions. The following is a description
of the problem.

There are two pcap file, the pcap data capture from switch(Port Traffic
Mirroring). As below:
 - pcap1, we are use bro to parse the pcap1 file. Been testing, bro can not
log http request. I am not sure whether the TCP stream has some messy.
 - pcap2, base on the pcap1, we were use wireshark to deleted a packet and
generated another new pcap2 file. The deleted packet's status was described
as "[TCP ACKed unseen segment]" in wireshark. The bro parse the pcap
correctly.

Is there any suggestion to solve the problem. Thanks very much.

Below listed the test step and results:

Bro with capture-loss loaded:

root at sensor ~/temp# cat loss.bro
@load misc/capture-loss.bro

====================================================================

PCAP1:
root at sensor ~/temp# bro -C -r single_issue_00.pcap loss.bro

root at sensor ~/temp# cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2017-08-18-13-23-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes
history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count
string bool bool count string count count count count set[string]
1502979585.855778 CPkvTTF91m8B1Yfdb 10.0.81.16 56144 10.0.81.48 80 tcp -
0.002211 90 11977 SF - - 90 ShAaDdfF 12 722 12 12609 (empty)
#close 2017-08-18-13-23-54

root at sensor ~/temp# cat http.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2017-08-18-13-23-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method
host uri referrer version user_agent request_body_len response_body_len
status_code status_msg info_code info_msg tags username password proxied
orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames
resp_mime_types
#types time string addr port addr port count string string string string
string string count count count string count string set[enum] string string
set[string] vector[string] vector[string] vector[string] vector[string]
vector[string] vector[string]
1502979585.856854 CPkvTTF91m8B1Yfdb 10.0.81.16 56144 10.0.81.48 80 1 - - - -
1.1 - 0 11741 200OK - - (empty) - - - - - - FF9ypH1xMjwIUswLU1 - text/html
#close 2017-08-18-13-23-54

root at sensor ~/temp# cat capture_loss.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path capture_loss
#open 2017-08-18-13-23-54
#fields ts ts_delta peer gaps acks percent_lost
#types time interval string count count double
1502979585.858078 0.002300 bro 1 6 16.666667
#close 2017-08-18-13-23-54

====================================================================

after delete [TCP ACKed unseen segment] then PCAP2:

root at sensor ~/temp# cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2017-08-18-13-54-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes
history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count
string bool bool count string count count count count set[string]
1502979585.855778 CbMbYjzyDnDallire 10.0.81.16 56144 10.0.81.48 80 tcp http
0.002211 90 11977 SF - - 0 ShADdfFa 12 722 11 12557 (empty)
#close 2017-08-18-13-54-49

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2017-08-18-13-54-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method
host uri referrer version user_agent request_body_len response_body_len
status_code status_msg info_code info_msg tags username password proxied
orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames
resp_mime_types
#types time string addr port addr port count string string string string
string string count count count string count string set[enum] string string
set[string] vector[string] vector[string] vector[string] vector[string]
vector[string] vector[string]
1502979585.856615 CbMbYjzyDnDallire 10.0.81.16 56144 10.0.81.48 80 1 GET
10.0.81.48 /pvs/233.html - 1.1 ApacheBench/2.3 0 11741 200 OK - - (empty) -
- - -- - FF9ypH1xMjwIUswLU1 - text/html
#close 2017-08-18-13-54-49


root at sensor ~/temp# cat capture_loss.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path capture_loss
#open 2017-08-18-13-54-49
#fields ts ts_delta peer gaps acks percent_lost
#types time interval string count count double
1502979585.858078 0.002300 bro 0 6 0.0
#close 2017-08-18-13-54-49

====================================================================

Best regards,
AlkenePan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170818/533f8b77/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PACP1_single_issue_00.pcap
Type: application/octet-stream
Size: 14075 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170818/533f8b77/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PCAP2_single_issue_00_removed_bad_packet.pcap
Type: application/octet-stream
Size: 13993 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170818/533f8b77/attachment-0003.obj 


More information about the Bro mailing list