pcap replay issue

I am try to replay small ssl pcap and have bro analyze the packets. When I do tcpreplay on the pcap, the first time I see five ssl connections in bro ssl log. When I replay same pcap within a minute or so of the first replay, then I only see 3 connections. If I give a gap of say 5mins between the replays, then I see 5 connections in the 2nd replay too. If I use tcpreplay-edit with -s option i.e. where the source is randomized, then I see 5 connections both times even if I don’t have a large delay between the two replays. Also, I see some messages in the weird.log.

I’ve attached the pcap, ssl_with_delay.log (shows all 10 connections from two replays), ssl_no_delay.log(shows only 8 connections from 2 replays) and weird.log.

Could someone explain what’s going on and if there is a work around for this issue. Thanks.


iis.pcap (26.9 KB)

ssl_no_delay.log (2.08 KB)

ssl_with_delay.log (2.45 KB)

weird.log (657 Bytes)

I haven’t looked at your pcap, but from what you are saying and from looking at your weird.log it appears that your connections with the ephemeral ports 54169 and 54167 aren’t being shutdown correctly. Make sure they have correct tcp shutdown sequences (FINs or RSTs, etc). You are seeing things correctly after 5 minutes because that’s Bro’s default TCP timeout.