[Zeek] Bro file extraction & out of order packets behavior
Bruce Kao
brucekao at heliosdata.com
Thu Jan 10 15:43:07 PST 2019
Hi
I am currently investigating an issue with http file extraction with file analyzer that very frequently I see missing_bytes in the file log which causes the file to be incomplete and fails extract the file nor generate a hash.
I am running bro in a virtual machine sniffing on a interface in promiscuous mode that's is on a virtual switch.
After examining a bunch of packet captures, I tracked the problem down to that when Bro sees out of order ACKs before actual packet, the problem with missing_bytes is observed.
This seems to me that there is no TCP reassembler Bro's documents indicated that the TCP analyzer for the HTTP analyzer (or file analyzer?), since reassembled TCP payloads are only delivered via a tcp_content event.
Does anyone have any information on how to make this work? Is it a configuration problem or...
Appreciate any tips that you may have thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/a66db5d6/attachment.html
More information about the Zeek
mailing list