source ip and destination ip have been swaped in bro logs


I have noticed in my bor notices.log, that a for a connection, the source_ip and destination_ip, as well as the corresponding ports, have been swaped. Is there any explaination for it somewhere and how to find that for which connection bro does this?



Bro will try to get the relationship between who "originated" and "responded" to the connection correct. Let's imagine the case that the initial syn packet for an http connection was dropped so the first packet that Bro saw was source port 80 and the dest port will be some arbitrary high number. Bro will look at the connection and make a guess that it may be looking at the connection backwards and flip it. The fact that the flip happened is also indicated in the "history" field in the conn log with the caret "^".

There are a lot of other scenarios that could lead to the same behavior too. If you'd like to go further into the particular case you're encountering, you could send a conn log entry that looks problematic to the list (with IP addresses hidden) and we may be able to diagnose the particular problem you're seeing.


Thanks for this, this is really useful.