[Zeek] Bro file extraction & out of order packets behavior

Michael Shirk shirkdog.bsd at gmail.com
Thu Jan 10 16:22:56 PST 2019


Take a look at capture_loss.log to see if you are in fact not seeing
complete connections.

Missed bytes is telling you that there may be a problem in the acquisition
of packets. Have you verified with a packet capture in Wireshark that you
can reassemble the connection to get a complete file?

I would also create a clean pcap of the file transfer and then test you are
getting your hits on the hash, and then figure out the issue with the
packet acquisition. Sometimes you have to disable checksum verification on
the NIC to get things working.

--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com


On Thu, Jan 10, 2019, 18:51 Bruce Kao <brucekao at heliosdata.com wrote:

> Hi
>
>
> I am currently investigating an issue with http file extraction with file
> analyzer that very frequently I see missing_bytes in the file log which
> causes the file to be incomplete and fails extract the file nor generate a
> hash.
>
>
> I am running bro in a virtual machine sniffing on a interface in
> promiscuous mode that's is on a virtual switch.
>
>
> After examining a bunch of packet captures, I tracked the problem down to
> that when Bro sees out of order ACKs before actual packet, the problem with
> missing_bytes is observed.
>
>
> This seems to me that there is no TCP reassembler Bro's documents
> indicated that the TCP analyzer for the HTTP analyzer (or file analyzer?),
> since reassembled TCP payloads are only delivered via a tcp_content event.
>
>
> Does anyone have any information on how to make this work?  Is it a
> configuration problem or...
>
>
> Appreciate any tips that you may have thanks!
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/08496865/attachment.html 


More information about the Zeek mailing list