TCP Packets not getting logged

Bindiya_V_S · November 29, 2006, 2:25pm

Hi,

  I tried running some SSL PCAP(packet capture) files (using tcpreplay on the primary interface) with bro running on the system. Some of the TCP connections in the PCAP are not having the connection closing handshakes (FIN and ACK). When I try re-running the same PCAP in short intervals (running tcpreplays multiple times on the same PCAP), the packets coming on the connection which didnt have FIN and ACK earlier are not getting logged. The other packets which had their connections neatly closed are getting loggged fine.
   I am working on ver 0.9 currently, but the same thing is happening on 1.1 release.
   I assumed that conn->IsReuse() in Sessions.cc will return true for these kind of packets. But that is not happening.
   Can some one help me out?

Thanks in Advance
Bindiya

robin · November 30, 2006, 3:10am

That's because the internal connection state for these connections
is still in memory and Bro believes that the incoming packets do
actually belong to the same (old) connection. For connections closed
with FINs, the connection state is flushed more quickly, which is
why you're less likely to see this effect for them.

In general, replaying the same traffic multiple times is likely to
confuse Bro in various ways (e.g., also some of the scripts).
Usually it's best to create multiple different instances of the
trace first by, e.g., changing IP addresses.

Robin

Topic		Replies	Views
Bro performance issues Zeek	53	84	May 6, 2022
Handling connections missing TCP handshake Zeek	1	95	May 6, 2022
http_request event Zeek	3	74	May 6, 2022
Sometimes HTTP.log fails to generate from PCAP file Zeek	3	66	May 6, 2022
TCP reassembly question [Port Traffic Mirroring] Zeek	1	162	May 6, 2022

TCP Packets not getting logged

Related Topics