Hi Bro community
I am using bro version 2.3-316
In side a Conn.log history I have letter ‘Q’ in it.
I can not find any info about ‘Q’
am I missing something?
1439941988.068044 C3FNvf40Sa0n7jtNTf 10.122.100.26 63394 10.122.110.8 22 tcp - 1.796387 0 0 SH T Qah 1 60 4 224 (empty) (empty) (empty)
1439942990.248722 CqADp939XKyVf7j03i 10.122.100.26 63119 10.122.103.10 22 tcp - 3.000317 0 0 S2 T Qh 1 60 4 240 (empty) (empty) (empty)
‘Q’ indicates a multi flag packet. It should be either a syn/fin or syn/rst packet.
.Seth
That’s interesting…I don’t have Q at all…and I would agree that maybe that should be documented somewhere, but I couldn’t find it here:
https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
James
Hi Seth
Thank you for fast replay
To make it worse, there is also ‘I’ which indicates fin/rst (and possibly other flags). James, would you mind filing a ticket about adding Q/I to the docs? (he who brings up docs files the ticket!)
.Seth
I already fixed this (I've had a branch for a while now
where I've been collecting small documentation fixes like this).
LoL...I sure will Seth thanks.
Great!
.Seth