Different Connection UID when using different modus

Hi there,

I wrote a little script to keep track of some values send between to two PLCs, measuring the pressure of a compressor. To test it, I recorded the data traffic between those PLCs with wireshark.

However, I noticed that if I run Bro as command-line-utility, all packets belong to the same Connection UID (which is right, it's one single TCP connection), like this:
1524935590.861128 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 3.028429
1524935592.240910 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.936921
1524935593.510075 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.855541
1524935594.644501 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.78682
1524935595.890453 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.762949
1524935597.034076 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.765842
1524935598.310198 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.772352
1524935599.455176 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.777778
1524935600.715050 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.783203
1524935601.858465 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.78899
1524935603.105988 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.794777
1524935604.263663 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.798756

If I replay the pcap with tcpreplay and use Bro with BroCtl, the connection UID changes every 4 to 5 packets:

1530283326.472442 C0RGCfPjoO1qjgaB3 192.168.0.2 49153 192.168.0.20 102 Abfall 3.028429
1530283327.851737 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.936921
1530283329.200584 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.855541
1530283330.327749 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.78682
1530283331.575829 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.762949
1530283332.723797 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.765842
1530283333.995711 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.772352
1530283335.139726 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.777778
1530283336.399753 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.783203
1530283337.547808 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.78899
1530283338.791763 CoRELlzadjrZDCds2 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.794777
1530283339.947775 CoRELlzadjrZDCds2 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.798756

Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro?

Thanks!

Dane

This is a wanted behavior by BRO.
Using the seeds options won’t help either.

What I did to fix this is create a script that on new_connection() overrides c$uid to my own uid (some deterministic calculation with the connection’s ts,ips,ports and proto),
and then @load this script from your script.

This is how I manage to get the same uid for the same connection in the same pcap across different BRO runs.