[Bro] Different Connection UID when using different modus

DW brot212 at googlemail.com
Fri Jun 29 08:09:45 PDT 2018 

Hi there,

I wrote a little script to keep track of some values send between to two 
PLCs, measuring the pressure of a compressor. To test it, I recorded the 
data traffic between those PLCs with wireshark.

However, I noticed that if I run Bro as command-line-utility, all 
packets belong to the same Connection UID (which is right, it's one 
single TCP connection), like this:
1524935590.861128    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Abfall      3.028429
1524935592.240910    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.936921
1524935593.510075    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.855541
1524935594.644501    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.78682
1524935595.890453    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.762949
1524935597.034076    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.765842
1524935598.310198    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.772352
1524935599.455176    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.777778
1524935600.715050    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.783203
1524935601.858465    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.78899
1524935603.105988    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.794777
1524935604.263663    C0A3ti4l4OfYaOOY2h    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.798756


If I replay the pcap with tcpreplay and use Bro with BroCtl, the 
connection UID changes every 4 to 5 packets:

1530283326.472442    C0RGCfPjoO1qjgaB3       192.168.0.2    49153 
192.168.0.20    102    Abfall      3.028429
1530283327.851737    ClqAHP3vbrPywNYyBl    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.936921
1530283329.200584    ClqAHP3vbrPywNYyBl    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.855541
1530283330.327749    ClqAHP3vbrPywNYyBl    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.78682
1530283331.575829    ClqAHP3vbrPywNYyBl    192.168.0.2    49153 
192.168.0.20    102    Abfall      2.762949
1530283332.723797    ClqAHP3vbrPywNYyBl    192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.765842
1530283333.995711    CHT44c1znQoXygQZFh  192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.772352
1530283335.139726    CHT44c1znQoXygQZFh  192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.777778
1530283336.399753    CHT44c1znQoXygQZFh  192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.783203
1530283337.547808    CHT44c1znQoXygQZFh  192.168.0.2    49153 
192.168.0.20    102    Anstieg     2.78899
1530283338.791763    CoRELlzadjrZDCds2         192.168.0.2 49153    
192.168.0.20    102    Anstieg     2.794777
1530283339.947775    CoRELlzadjrZDCds2         192.168.0.2 49153    
192.168.0.20    102    Anstieg     2.798756

Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro?

Thanks!

Dane

More information about the Bro mailing list