What happens with Bro when 3 way handshake packets are not synchronized?
In the case of offline analysis, inbound packets and outbound packets may receive timestamps that are not synchronize (maybe due to problems in capture machine setup).
We think that it may affect short connections. For example, the pcap file can contain a syn-ack with a timestamp before the first SYN packet.
Can Bro detect the 3-way handshake in this situation? Or the ACK-SYN get discarded?
Regards,
VE
Yes, Bro will have trouble with that. It assumes that it sees
packets in the order they were on the wire and if that's not the
case, results are not really predictable. If the problem were just
packets not sorted in terms of their timestamps, you could use Bro's
"packet sorter" feature to get them into the right order, but it
sounds like here them timestamps themselves are already off. It's
worth trying hard to avoid that at the point where packets are
captured.
Robin
Thank you!
I done some metrics, and the problem is confined to just a few cases with fast handshake process. There also some other rare cases maybe more related to anomalies on the net (crud).
V.E.