My previous experiment setup was as follows.
Setup1:
Node1 (Client) <------> Node2 (running BRO) < ------ > Node3 (Server)
If on Node2 instead of running Bro you capture packets with tcpdump, does
Bro run correctly on the resulting trace?
- Yes. The command that I use is:
$ sudo /usr/local/…/bin/bro -r …/testCapture6.dump ex2e.bro
Task: I am ftp’ing one file from Node 1 to Node3.
Snippet of output:
10.1.2.3 10.1.1.3 20 57713 bitrate: 117337.34, duration: 3.011079, size: 0 353312
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 117722.29, duration: 4.022144, size: 0 473496
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 117969.47, duration: 5.020214, size: 0 592232
10.1.1.3 10.1.2.3 43580 21 bitrate: 64.74, duration: 6.889347, size: 105 446
10.1.2.3 10.1.1.3 20 57713 bitrate: 118139.81, duration: 6.030279, size: 0 712416
Notice the increase in size and duration every one second. This is as expected.
- When I run the following command (that is reading from an interface “em2”):
$ sudo /usr/local/…/bin/bro -i em2 ex2e.bro
Task: Same as before (I am ftp’ing one file from Node 1 to Node3).
Snippet of output observed:
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
10.1.2.3 10.1.1.3 20 47271 bitrate: 0.00, duration: 0.003685, size: 0 0
10.1.1.3 10.1.2.3 36270 21 bitrate: 0.00, duration: 0.001420, size: 0 0
1283232336.474291 8.932614 10.1.2.3 10.1.1.3 20 47271 0 1052696 - TCP_CLOSED
Notice that size and duration do not increase every second. But when I stop the file transfer, I see updated values.
- One more thing I noticed is that:
When I run my policy file along with TCP and FTP analyzers on the live interface using below command.
Command:
$ sudo /usr/local/…/bin/bro -i em2 ex2e.bro tcp ftp
Task: Same as before (I am ftp’ing one file from Node 1 to Node3).
I see the following output:
Snippet:
1283232724.432981 0.001834 10.1.1.3 10.1.2.3 53747 21 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 0.00, duration: 0.001834, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 10608.46, duration: 0.007824, size: 0 83
10.1.1.3 10.1.2.3 53747 21 bitrate: 10608.46, duration: 0.007824, size: 0 83
10.1.1.3 10.1.2.3 53747 21 bitrate: 63.43, duration: 2.222891, size: 16 141
10.1.1.3 10.1.2.3 53747 21 bitrate: 72.37, duration: 3.150419, size: 29 228
10.1.1.3 10.1.2.3 53747 21 bitrate: 72.37, duration: 3.150419, size: 29 228
10.1.1.3 10.1.2.3 53747 21 bitrate: 41.28, duration: 6.007643, size: 37 248
1283232730.452595 0.003124 10.1.2.3 10.1.1.3 20 40035 0 0
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 56.27, duration: 6.024612, size: 76 339
10.1.2.3 10.1.1.3 20 40035 bitrate: 0.00, duration: 0.003124, size: 0 0
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
1283232730.452595 6.530739 10.1.2.3 10.1.1.3 20 40035 0 770336 - TCP_CLOSED
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
10.1.1.3 10.1.2.3 53747 21 bitrate: 31.48, duration: 12.549360, size: 76 395
1283232724.432981 15.582105 10.1.1.3 10.1.2.3 53747 21 82 409 - TCP_CLOSED
Notice the duration and size variables of the control connection (port 21) update every time I enter a new ftp command. (e.g. ls - to list the files in that remote directory). This did not happen earlier - when I did not use TCP and FTP analyzers. And when I stop the transfer and close the connection, I see the total duration and size.
I think that I am missing some event handlers but I cannot figure out which ones. I even tried running BRO with “brolite” (which loads many of the standard analyzers) along with my policy file, but in vain.
(Perhaps this is how you’re
already capturing the traffic that it works correctly on, but I thought
of asking because on some systems packet capture for local traffic is
incomplete, and in particular lacks locally sent packets.)
What OS’s are the Nodes running?
Node 2 and 3 are FreeBSD 7.2
Node 1 is Ubuntu 10.04
Vern
Thank you.
Harkeerat Bedi