I am try to replay small ssl pcap and have bro analyze the packets. When I do tcpreplay on the pcap, the first time I see five ssl connections in bro ssl log. When I replay same pcap within a minute or so of the first replay, then I only see 3 connections. If I give a gap of say 5mins between the replays, then I see 5 connections in the 2nd replay too. If I use tcpreplay-edit with -s option i.e. where the source is randomized, then I see 5 connections both times even if I don’t have a large delay between the two replays. Also, I see some messages in the weird.log.
I’ve attached the pcap, ssl_with_delay.log (shows all 10 connections from two replays), ssl_no_delay.log(shows only 8 connections from 2 replays) and weird.log.
Could someone explain what’s going on and if there is a work around for this issue. Thanks.
iis.pcap (26.9 KB)
ssl_no_delay.log (2.08 KB)
ssl_with_delay.log (2.45 KB)
weird.log (657 Bytes)