pcap replay issue

Dk_Jack · November 14, 2015, 10:15pm

Hi,
I am try to replay small ssl pcap and have bro analyze the packets. When I do tcpreplay on the pcap, the first time I see five ssl connections in bro ssl log. When I replay same pcap within a minute or so of the first replay, then I only see 3 connections. If I give a gap of say 5mins between the replays, then I see 5 connections in the 2nd replay too. If I use tcpreplay-edit with -s option i.e. where the source is randomized, then I see 5 connections both times even if I don’t have a large delay between the two replays. Also, I see some messages in the weird.log.

I’ve attached the pcap, ssl_with_delay.log (shows all 10 connections from two replays), ssl_no_delay.log(shows only 8 connections from 2 replays) and weird.log.

Could someone explain what’s going on and if there is a work around for this issue. Thanks.

Dnj.

iis.pcap (26.9 KB)

ssl_no_delay.log (2.08 KB)

ssl_with_delay.log (2.45 KB)

weird.log (657 Bytes)

Seth_Hall3 · November 16, 2015, 2:39pm

I haven’t looked at your pcap, but from what you are saying and from looking at your weird.log it appears that your connections with the ephemeral ports 54169 and 54167 aren’t being shutdown correctly. Make sure they have correct tcp shutdown sequences (FINs or RSTs, etc). You are seeing things correctly after 5 minutes because that’s Bro’s default TCP timeout.

.Seth

Topic		Replies	Views
[JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack Development development	5	64	May 6, 2022
TCP Replay Packet Count Zeek	4	123	May 6, 2022
weird.log help Zeek	4	89	May 6, 2022
timer delays between different events for same connection Development development	3	74	May 6, 2022
Follow up on invoking the "protocol_confirmation" event Zeek	5	59	May 6, 2022

pcap replay issue

Related Topics