S - originator sent SYN • h - responder sent SYN+ACK • A - originator sent ACK • "Unhealthy" TCP history: SAD... • S - originator sent SYN • A - originator sent ACK • D - originator sent data 10
S - originator sent SYN • h - responder sent SYN+ACK • A - originator sent ACK • "Unhealthy" TCP history: SAD... • S - originator sent SYN • A - originator sent ACK • D - originator sent data • Another "unhealthy" TCP option: had... • h - responder sent SYN+ACK • a - responder sent ACK • d - responder sent data 11
and protocol. • Don't forget about the NIC hashing! • Are you seeing all the traffic? • Are you getting duplicate traffic? • If loss is too high, you might be overloaded - can you use filters? 18
service in conn.log • trace-summary.py • Is it able to parse the traffic? • policy/frameworks/dpd/packet- segment-logging.bro creates dpd.log: ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason packet_segment 20
line 15043 HTTP not a http request line 14915 SSL Invalid version late in TLS connection. Packet reported version: $version 7569 SSL Invalid headers in SSL connection. $headers 6698 SSL Invalid version in TLS connection. Version: $version 693 DNS DNS_Conn_count_too_large 27 SSL Invalid version in SSL client hello. Version: $version 16 SMTP reply code -1 out of range [The SMTP... 5 SSH malformed ssh identification [QUIT] 4 DHCP no DHCP message type option 3 SMTP reply code -1 out of range 2 SMTP reply code -1 out of range [5.7.2 User...