I’m trying to debug some traffic that is coming off an aggregator right now. I was pointed to this helpful set of slides from Vlad on how to troubleshoot and verify a network (https://speakerdeck.com/vladg/bro-deployment-verification-and-troubleshooting).
Looking at the weird.log from a ~2 min pcap on a network with ~6 Gbps throughput, I’ve noticed these entries in the weird.log (top 10 or so).
Now my questions are these - 1) That seems like a lot of errors for a small sample set but I don’t have a reference point for a network of this size. Does anyone else have an equivalent network that they could sanity check for me? 2) Is there a good reference for these weird.log entries that I can look at to try to pin down what is going wrong in the network? I’m particularly interested in the HTTP_version_mismatch and a few other that Vlad mentioned in his presentation.
The main reason I’m interested in the details on HTTP_version_mismatch is because I have two pcaps from two separate ports off the aggregator and, for some reason, one is showing as HTTP2 (but only in the OSX version of Wireshark) and Bro can’t read pcap properly. The other pcap is read just fine.
Sorry for the wall of text but if anyone can point me in the right direction, I’d be much obliged. Thanks!