Recently I was troubleshooting some fragmentation occurring in UDP DNS responses from our DNS servers, because of packet size > 1500 bytes.
The responses are completely valid, including 13 additional RR’s with 7 Authoritative records, hence exceeding the normal size of the packet, and getting fragmented into two packets.
When grep’ed the connection from the dns.log file in Bro, appeared that Bro logged two connections for the single fragmented DNS response:
2018-08-13T10:16:40-0400 C42pXn2GRPxmh8JRBd 126.96.36.199 19401 188.8.131.52 53 udp 34754 - upenn.edu 1 C_INTERNET 1
5 MX - - F F F F 1 - - F - -
2018-08-13T10:16:40-0400 CsFVfL2czxAmhLprqj 184.108.40.206 19401 220.127.116.11 53 udp 34754 - upenn.edu - - - -
0 NOERROR T F F F 0 cluster5a.us.messagelabs.com,cluster5.us.messagelabs.com, 900.000000,900.000000,900
.000000 F dns1.udel.edu,dns2.udel.edu,adns1.upenn.edu,sns-pb.isc.org,,adns3.upenn.edu,adns2.upenn.edu 18.104.22.168,2607:f470:1002::2:3,2607:f4
I verified the transaction ID ( 34754) with the one in the pcap capture of the same traffic from the firewall and was curious to know how Bro deals with the Fragmentation assembly and logging.
P.S: I can provide the pcap capture to the corresponding connection mentioned above.