A strange connection


I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).

Dear Michel,

      If there are duplicated packets due to packet retransmission, will orig_ip_bytes and resp_ip_bytes
be still correct (I mean the bytes may be counted more than once)? If not, what are the reliable fields to
derive the transmitted bytes (not counting duplicated ones)? Thanks.


I believe that orig_ip_bytes (and resp_ip_bytes) would recount bytes; the description of the fields states that they use the IP level total_length field to take their measurements.


It’s the (orig/resp)_bytes field as you suspect. Something happened in this connection that tricked Bro’s sequence id tracking which caused the larger numbers in those fields. If you find it again and are able to capture a pcap of it, we’d be interested in seeing it.