Dear list,
I stumbled upon a few entries in conn.log that tells me there is an incoming connection from an IMAP mailserver (public IP) to my notebook computer (private IP, behind NAT).
In fact, I only have outgoing connections from that notebook computer to the IMAP server. I can find these in conn.log as well.
Of course I do not have any port forwarding to that notebook computer, so I took a tshark trace on the router and waited for another occurance.
According to tshark on the router, there was no incoming connection from the IMAP server.
But tshark on the router also revealed some TCP retransmissions from the IMAP server to my notebook. Every time tshark sees one of there TCP retransmissions, I get an incoming connections in conn.log. I think the retransmissions are due to a weak Wifi signal between router and notebook.
Is it possible that TCP retransmissions are classified as new connections by bro? Or does anybody have a hint where else to search for the reason?
Thanks!
Sven