[Zeek] About FlipRoles function
Robin Sommer
robin at corelight.com
Mon Dec 16 23:38:33 PST 2019
On Tue, Dec 17, 2019 at 15:23 +0800, 周斌 wrote:
> 1. When the function(Connection::FlipRoles) was called?
There are a couple of places but the main one is when Zeek sees a
partial connection that has a well-known port on the *originator*
side. It then assumes that it must have missed the actual first packet
because the well-known port would normally be on the responder side.
So it flips the direction internally before doing anything further.
> 2. Not need to think of MAC address?
It should be flipping that, too, see the code for
Connection::FlipRoles().
> And I've run into some technical problems recently. In conn.log, You can see:
> "id.orig_h":"Source IP","id.resp_h":"Destination IP",......"orig_l2_addr":"Destination MAC","resp_l2_addr":"Source MAC".
I'm not quite sure if you're saying you aren't seeing the MAC address
being flipped? Or *they* are flipped, but not the IP addresses? Do you
have a trace that shows what you're observing?
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the Zeek
mailing list