weird.log help

Howdy all,

I’m trying to debug some traffic that is coming off an aggregator right now. I was pointed to this helpful set of slides from Vlad on how to troubleshoot and verify a network (https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting).

Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps throughput, I’ve noticed these entries in the weird.log (top 10 or so).

5454 line_terminated_with_single_CR
4012 above_hole_data_without_any_acks
2827 TCP_ack_underflow_or_misorder
2601 SYN_seq_jump
2395 TCP_seq_underflow_or_misorder
2192 FIN_advanced_last_seq
1330 HTTP_version_mismatch
570 bad_HTTP_request
333 unescaped_special_URI_char
205 window_recision
151 dns_unmatched_msg

Now my questions are these - 1) That seems like a lot of errors for a small sample set but I don’t have a reference point for a network of this size. Does anyone else have an equivalent network that they could sanity check for me? 2) Is there a good reference for these weird.log entries that I can look at to try to pin down what is going wrong in the network? I’m particularly interested in the HTTP_version_mismatch and a few other that Vlad mentioned in his presentation.

The main reason I’m interested in the details on HTTP_version_mismatch is because I have two pcaps from two separate ports off the aggregator and, for some reason, one is showing as HTTP2 (but only in the OSX version of Wireshark) and Bro can’t read pcap properly. The other pcap is read just fine.

Sorry for the wall of text but if anyone can point me in the right direction, I’d be much obliged. Thanks!

I don’t know your situation but this looks like reordering problem. All tools expect a time order.

Timeout increase might help.

Thanks, Dan, I’ll look into this.
When I analyze the pcap in Wireshark I see a lot of “port reuse” errors as well which I think it indicative of this as well.

Use reorderpcap

https://www.wireshark.org/docs/man-pages/reordercap.html

Or it might help to install the tcprs plugin.

You could could some timeout tweaking too.