about

Vern · January 4, 2003, 7:18am

However, I am still can't understand why all the status of connection not
from/to my host is "S0", which means "no answer", while my host's
connections were all right.

That's very strange, unless in your setup Bro is massively dropping packets.
So the next thing to do is use Bro's "-w tracefile" option to record the
packets it's analyzing. Next time you find an S0 FTP session which you're
sure was successful, extract the corresponding packets from the trace.
If there are just initial SYNs and nothing else, then Bro was correct, and
you were mistaken regarding that particular session being successful.
If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of
subsequent packets related to the connection, then Bro is dropping packets.
I can help with this analysis (send me the trace off-line) if needed.

Vern

Ashley_Thomas · January 4, 2003, 7:25am

You could also just watch the variable 'drop' returned by pcap_stats( ) to see if there are drops.
pcap_stats is called by bro in the HeartBeat function, i guess.
This is *assuming* pcap is giving the drops value correctly. I remember, there was bug on some OSs.

-ashley

Vern Paxson wrote:

Topic		Replies	Views
Bro always crashes Zeek	1	67	May 6, 2022
Bro bug? Zeek	1	77	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	2	85	May 6, 2022
Bro always crashes Zeek	1	58	May 6, 2022
New Bro User Zeek	1	56	May 6, 2022

about

Related Topics