Split PCAPs & Partial Connections

Hello all,

I am batch processing some periodic PCAP files to extract SSL certificates. I noticed if I do bro -r file1, followed by bro -r file2, I end up with two ssl.log files totalling ~1500 lines. However, if I mergecap file1 & file2 and run bro -r merged, my ssl.log is ~7000 lines.

After searching the list archive and current bro docs, I thought this might be a partial connection problem. So I tried a redef partial_connection_ok = T; but that did not seem to have any effect.

Any insights into how I might fix the discrepancy would be greatly appreciated.

Jason

Has anyone here run into this problem before? It seems to be the same for http.log files as well.

Thanks!

Jason

A few questions arise:

How did you run mergecap? Does the behavior change if you run it using
-a? Do the two pcap files immediately follow one another in timestamps,
that is, does file2 start exactly where file1 stops? Is the merged pcap
file about equal to size(file1) plus size(file2), or is it significantly
larger?

Shane,

I ran mergecap -w merged.cap file1 file2. When run with -a, merged.cap is the same file size, but bro results in only 700 log lines in ssl.log. The two PCAP files are an overlapping timeframe. Traffic is split across both. Yes, the merged file size is approximately the same as the sum of the individual files.

Jason