[Zeek] About FlipRoles function

Robin Sommer robin at corelight.com
Mon Dec 16 23:38:33 PST 2019



On Tue, Dec 17, 2019 at 15:23 +0800, 周斌 wrote:

>     1. When the function(Connection::FlipRoles) was called?

There are a couple of places but the main one is when Zeek sees a
partial connection that has a well-known port on the *originator*
side. It then assumes that it must have missed the actual first packet
because the well-known port would normally be on the responder side.
So it flips the direction internally before doing anything further.

>     2. Not need to think of MAC address?

It should be flipping that, too, see the code for
Connection::FlipRoles().

>    And I've run into some technical problems recently. In conn.log, You can see:
>   "id.orig_h":"Source IP","id.resp_h":"Destination IP",......"orig_l2_addr":"Destination MAC","resp_l2_addr":"Source MAC". 

I'm not quite sure if you're saying you aren't seeing the MAC address
being flipped? Or *they* are flipped, but not the IP addresses? Do you
have a trace that shows what you're observing?

Robin

-- 
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com


More information about the Zeek mailing list