I encountered a tcp reassembly problem, that begets the bro parse the tcp stream fail. Sincere search for solutions. The following is a description of the problem.
There are two pcap file, the pcap data capture from switch(Port Traffic Mirroring). As below:
- pcap1, we are use bro to parse the pcap1 file. Been testing, bro can not log http request. I am not sure whether the TCP stream has some messy.
- pcap2, base on the pcap1, we were use wireshark to deleted a packet and generated another new pcap2 file. The deleted packet’s status was described as “[TCP ACKed unseen segment]” in wireshark. The bro parse the pcap correctly.
Is there any suggestion to solve the problem. Thanks very much.
Below listed the test step and results:
Bro with capture-loss loaded:
root@sensor ~/temp# cat loss.bro
@load misc/capture-loss.bro
PACP1_single_issue_00.pcap (13.7 KB)