[Bro] Bro behind a TLS reverse proxy
Azoff, Justin S
jazoff at illinois.edu
Tue Apr 10 19:13:43 PDT 2018
I'm not sure what the problem is here, but it most definitely does not have anything to do with physical/virtual or nic hardware..
The lo interface is handled 100% by the kernel and doesn't touch the hardware, so this looks like some odd kernel or libpcap bug. I don't think libpcap does anything with the timestamps other than to send them along, and the fact that this seems to only happen on the synack packet points more to a kernel issue.
It's probably related to some kind of optimization for completing connections faster over loopback.
If one has time, converting the test case into a reproducable script and using it with git bisect on the kernel could track this down.
—
Justin Azoff
> On Apr 10, 2018, at 6:33 PM, Philip Romero <promero at cenic.org> wrote:
>
> Brandon,
>
> Success...? Both my VirtualBox VM and physical server show the wrong date/time on the SYN/ACK using the updated testing script you sent.
More information about the Bro
mailing list