File Extraction wierdness

Zeek
1

I am having issues getting garbled file extractions from both live interfaces and traces.
Smaller files appear unaffected, but the larger the file, the greater chance of it being extracted incorrectly with Bro.

Is this normal behaviour? Or is Bro relatively bulletproof when it comes to file extraction?

Steps taken already:
Viewing wierd and notice logs, nothing stands out as abnormal.
Disabled all offloading of the NIC. No change.
Running a frameworks/files/extract-all-files.bro by itself. No change.
Running the packet loss script to determine if packets are being lost. 0.0% packet loss detected.

Could anyone suggest alternative things I can try to resolve this?

Thanks in advance!

Blake Mackey, CD
SLt | ens 1
Royal Military College of Canada | collège militaire royal du Canada
(613)331-6438

2

Is this normal behaviour? Or is Bro relatively bulletproof when it comes to file extraction?

Yes, it's generally functional.

Could anyone suggest alternative things I can try to resolve this?

Could you capture some traffic that is giving you trouble and send it to me (offlist)? It sounds to me like you're having packet loss issues, but I can't be sure without seeing the raw traffic.

Thanks
  .Seth

3

Thanks for the data, I definitely see that it didn't extract correctly for you. If I take the raw traffic and run Bro (git master) on it it extracts the file just fine. What version of Bro are you running and what exactly is the command line you are running? I'll show you what I ran...

bro -r bro.trace frameworks/files/extract-all-files

  .Seth