[Bro] Bro and Fragmentation.

fatema bannatwala fatema.bannatwala at gmail.com
Mon Aug 13 09:00:13 PDT 2018 

Hi All,

Recently I was troubleshooting some fragmentation occurring in UDP DNS
responses from our DNS servers, because of packet size > 1500 bytes.
The responses are completely valid,  including 13 additional RR's with 7
Authoritative records, hence exceeding the normal size of the packet, and
getting fragmented into two packets.
When grep'ed the connection from the dns.log file in Bro, appeared that Bro
logged two connections for the single fragmented DNS response:

2018-08-13T10:16:40-0400        C42pXn2GRPxmh8JRBd      74.220.198.174
19401   128.175.13.16   53      udp     34754   -       upenn.edu       1
     C_INTERNET      1
5       MX      -       -       F       F       F       F       1       -
     -       F       -       -

2018-08-13T10:16:40-0400        CsFVfL2czxAmhLprqj      74.220.198.174
19401   128.175.13.16   53      udp     34754   -       upenn.edu       -
     -       -       -
        0       NOERROR T       F       F       F       0
cluster5a.us.messagelabs.com,cluster5.us.messagelabs.com,<unknown type=46>
    900.000000,900.000000,900
.000000 F
dns1.udel.edu,dns2.udel.edu,adns1.upenn.edu,sns-pb.isc.org,<unknown
type=46>,adns3.upenn.edu,adns2.upenn.edu
128.91.254.22,2607:f470:1002::2:3,2607:f4
70:1003::3:c,<unknown
type=46>,128.91.251.33,2607:f470:1001::1:a,128.91.3.128


I verified the transaction ID ( 34754) with the one in the pcap capture of
the same traffic from the firewall and was curious to know how Bro deals
with the Fragmentation assembly and logging.

Any thoughts?

Thanks!
Fatema.

P.S: I can provide the pcap capture to the corresponding connection
mentioned above.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180813/daba00b1/attachment.html

More information about the Bro mailing list