I've been using Bro a lot lately and recently I've started noticing some weird connection sizes.
For instance a single connection may have a resp_bytes of over 1000GB, far more than is possible given the circumstances.
Three weirdness notifications seem to pop up along with this error, although not always all three at once. They are: SYN_seq_jump, SYN_inside_connection, & TCP_ack_underflow_or_misorder.
I've managed to capture an instance of bug happening and have attached the dump to this email.
If you run the dump through bro it should show a resp_bytes of almost 4GB for this connection, despite the capture only being a couple KB.
Could you please help me understand what is happening her and perhaps fix the bug?
bad.connection.pcap (1.92 KB)