I wrote a bro script that works on the flags in the TCP header and on
the identifier field in IP header. While some TCP connections can be
processed without any problems, others seem to produce strange results
with my script.
The attached pcap file (example.pcap) contains a problematic connection.
As you can see this starts with four SYN-Packets (probably due to
retransmits) which also have ECN and CWR set. The identifier field of
this packets is set a custom 0x3fff.
If you run bro-1.4 with the attached script (test.bro), which prints the
id-field and the flags, you will get this output:
$ bin/bro -C -r example.pcap test.bro
As you can see only one SYN-Packet has been passed to new_packet() in
the script. And this packet does neither transport the correct id nor
the correct flags. I think this problem only occurs when the first SYN
packet has been retransmitted.
1.) Is it the desired behavior to only pass one SYN-Packet to
new_packet() instead of all SYN-Packets? In my opinion it might be a
good idea to get all packets, that have been transmitted (or observed).
2.) Is it desired behavior that the passed SYN-packet does not contain
all the information that have been in the original packet?
3.) Can I tune bro to give me the original packet?
event new_packet(c: connection, p: pkt_hdr)
print fmt("%d %d", p$ip$id, p$tcp$flags);