[Bro] Gigamon issues

Carl Rotenan carlrotenan at gmail.com
Mon Jun 4 17:24:47 PDT 2018


Here is a link to the captures that I'm having trouble getting Bro to
extract,

https://www.dropbox.com/s/suebc590a5yb2ym/caps.zip?dl=0

Wireshark and Suricata are able to retrieve the files, so I'm stymied.

On Mon, Jun 4, 2018 at 11:43 AM, Carl Rotenan <carlrotenan at gmail.com> wrote:

> Hello,
>
> I'm trying to extract files from traffic coming from a Gigamon box doing
> SSL decryption, but Bro doesn't seem to like or able to comprehend the
> data. I get the following entries in my weird.log file, does anyone have a
> Gigamon they are able to do this with or any ideas what the logs seem to
> indicate?
>
> Thanks,
>
> Carl
>
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path weird
> #open 2018-06-04-11-37-09
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice
> peer
> #types time string addr port addr port string string bool string
> 1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> window_recision - F bro
> 1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_ack_underflow_or_misorder - bro
> 1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_seq_underflow_or_misorder - bro
> 1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> window_recision - F bro
> #close 2018-06-04-11-37-09
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180604/af8e3489/attachment.html 


More information about the Bro mailing list