[Bro] Is the "service" field of the connection record unreliable?

[Ren, Wenyu]

Hi everyone,

I have a question for the "service" field in the connection record. When I run the "testing/btest/Traces/modbus/modbus.trace" in the bro repo, it contains "MODBUS" for most of the connections except for a few. However, when I run the "testing/btest/Traces/modbus/modbusBig.pcap" trace, all of the connections have empty service fields although they are all using Modbus. The connection record I used is from the new_packet event. Does this mean the service field is quite unreliable and cannot be used to tell the service of the connection? 

If I need to directly use the destination port to identify the service type, there might be other problems. For example, sometimes the destination port contained in the "id" tuple in the connection record is actually the source port. This is probably due to the connection re-establishment from the receiver side. An example can be seen in the highlighted packet in the attached screenshot (which is from the "modbus.trace" in the repo).

So my question is what's the best way to get the service of the connection from Bro. Any help and idea are appreciated. Thanks in advance.

Best,
Wenyu



Wenyu Ren
Ph.D. Candidate
Department of Computer Science
University of Illinois at Urbana-Champaign
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-06-06 14-52-51.png
Type: image/png
Size: 65453 bytes
Desc: Screenshot from 2017-06-06 14-52-51.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170606/2dc68400/attachment-0001.bin