[Bro] Gigamon issues

Hosom, Stephen M hosom at battelle.org
Thu Jun 7 06:44:38 PDT 2018 

There’s lots of missing data in these captures. Are you doing something other than decryption with these packets before Bro gets its hands on them?


cat conn.log | bro-cut missed_bytes | grep -v 0

1871523195

784491773

14915895983

97421147


From: <bro-bounces at bro.org> on behalf of Carl Rotenan <carlrotenan at gmail.com>
Date: Monday, June 4, 2018 at 8:38 PM
To: bro <bro at bro.org>
Subject: Re: [Bro] Gigamon issues

Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.
Here is a link to the captures that I'm having trouble getting Bro to extract,

https://www.dropbox.com/s/suebc590a5yb2ym/caps.zip?dl=0

Wireshark and Suricata are able to retrieve the files, so I'm stymied.

On Mon, Jun 4, 2018 at 11:43 AM, Carl Rotenan <carlrotenan at gmail.com<mailto:carlrotenan at gmail.com>> wrote:
Hello,

I'm trying to extract files from traffic coming from a Gigamon box doing SSL decryption, but Bro doesn't seem to like or able to comprehend the data. I get the following entries in my weird.log file, does anyone have a Gigamon they are able to do this with or any ideas what the logs seem to indicate?

Thanks,

Carl

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2018-06-04-11-37-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80 SYN_seq_jump - F bro
1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80 window_recision - F bro
1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 SYN_seq_jump - F bro
1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 TCP_ack_underflow_or_misorder - bro
1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 TCP_seq_underflow_or_misorder - bro
1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80 SYN_seq_jump - F bro
1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80 window_recision - F bro
#close 2018-06-04-11-37-09

More information about the Bro mailing list