John,
Thanks for the quick response.
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
That's what I'm finding strange. After running a tcpdump capture on
the interface and analyzing it with Wireshark, I do not see any 3-way
handshakes for this particular web application. For any HTTP GET that
I see in Wireshark that pertains to this application, when I "Follow
TCP Stream", the first entry in Wireshark is always the GET message
itself. For all other applications on the network, doing the above
results in the first entry being the SYN.
I've generated a few dumps with the same results. I wonder if the
load balancer is somehow keeping a session active for very long
periods (if this even makes sense).
If you have any suggestions or thoughts, I'd be very interested.
Thanks,
Bill
On Sat, Feb 6, 2010 at 12:51 PM, John Hally <JHally(a)ebscohost.com> wrote:
> Hi Bill,
>
> I've run BRO in the past with load balancers (Arrowpoint/Cisco CSS) and
> was able to see all traffic. In our setup we had 2 segments; a VIP
> access link and a services trunk link where the real/origin servers
> lived. Both of these links had physical network taps and it was as
> simple as plugging in the Ethernet, flipping the interface to
> UP/PROMISC, and starting BRO.
>
> With the CSS, even though the unit would handle the initial connection,
> it would 'snap' that over to the origin server it picked during load
> balancing so you would still see the tcp setup.
>
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
>
> Thoughts?
>
> Tahnks.
>
> John.
>
> -----Original Message-----
> From: bro-bounces(a)ICSI.Berkeley.EDU
> [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf Of Bill Jones
> Sent: Saturday, February 06, 2010 10:22 AM
> To: bro(a)ICSI.Berkeley.EDU
> Subject: [Bro] Load Balancers
>
> Hi everyone,
>
> I was curious if anyone has any experience running bro between
> load-balancers (such as Netscaler) and web applications. We are
> currently trying to get HTTP logs generated for a web application. We
> couldn't figure out why bro was not triggering the HTTP analyzer, but
> I now believe that this is because it is never seeing the original SYN
> + SYN/ACK for the conversation. When viewing the conversations in
> Wireshark, I can see that all the TCP streams for this particular
> application begin with the GET and do not include the initial 3-way
> handshake.
>
> Here is an entry in the conn.log for this stream which shows the states:
>
> 1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
> 604140 OTH X DdAa
>
> Other web applications on the wire, which do have the 3-way handshake
> visible for all connections, seem to work just fine and I get http
> logs.
>
> My questions are:
>
> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?
>
> Is there a way to force bro to analyze the traffic even though there
> is no proper 3-way handshake visible?
>
>
> Thanks for your time,
> Bill
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Hi All,
I am writing some bro script to analysis http session, and I have some
question about those events
#global http_stats: event(c: connection, stats: http_stats_rec);
the http_stats event, I think it is raised when one http session is
done? But why
the stats$num_requests can be 0?
I noticed in the http.bro, there is one handler for this event but
then annotated.
Hello all,
Can anyone explain the number of, and reasoning behind, multiple
pcap_open calls to the same interface ? Is one used for each type of
analyzer ?
While experimenting with certain hardware I noticed a continuous stream
of errors due to exclusive usage limitations of the capture card.
(And if it's not too confusing I'd be interested to hear if and how the
Zero-copy buffer mode detailed in bpf(4) on FreeBSD might be utilized
within Bro).
Regards,
--Jason
Hello all,
If anyone is using the Intel 1000/Pro PF quad-port cards with Intel
I/OAT please contact me on or off-list.
Just a basic "how well is it performing @ what speed" type of inquiry.
Thanks,
--Jason
Greetings all,
I have a question regarding Time machine. I would like to find out why, when I attempt to compile Time machine it refuses to see broccoli.
Currently I have Bro running on a test instance (RHEL 5) and each time I compile Time machine I get this:
Time machine Configuration Summary
==========================================================
- Debugging enabled: no
- broccoli support: no
- Using ptmalloc: no
With no errors.
config.log:
configure:7028: checking for main in -lbroccoli
configure:7057: g++ -o conftest -g -O2 -O2 -g -Wall -I/usr/local/include -INONE/include -g -O2 -O2 -g -Wall -I/usr/local/include -INONE/include -INONE/include -L/usr/local/lib -LNONE/lib conftest.cpp -lbroccoli -lpcrecpp -lpcre -lpthread -lpcap >&5
/usr/bin/ld: cannot find -lbroccoli
ac_cv_lib_broccoli_main=no
I have a second instance of Bro (FreeBSD 8.0) in a virtual machine and I was able to compile and run Time machine without issue.
I would be happy to supply more info or if anyone has direction to some documentation about Time machine.
Thanks All,
=-=Blake
I have not counted but nearly every packet captured through tcpdump on
FreeBSD 8 i386 when analyzed by Bro
generates a "Bad IP Checksum" weird warning.This only happens to me on
FreeBSD and I run a lot of systems:
Windows7,MacOSX,Linuxes,Solaris...
So,how can I avoid this and filter only the normal warnings,because it seems
very related to FreeBSD 8 network
interfaces,tcpdump on FreeBSD 8 ,etc.
Thanks.
I want to know that wheather Bro can read the HDLC data link .If not , Can
we make bro to use the HDLC data like.
Please suggest.
Regards
vijay M Khadse
Is there a convenient way that I can suppress all weird messages that
would otherwise bubble up to the weird log?
I've done this
redef notice_action_filters += {
[[Weird::WeirdActivity,
Weird::ContentGap,
Weird::RetransmissionInconsistency,
Weird::AckAboveHole]] = ignore_notice
};
But I still get some weird messages that I need to suppress like this
redef Weird::weird_action: table[string] of Weird::WeirdAction += {
[["above_hole_data_without_any_acks",
"bad_TCP_checksum",
"unmatched_HTTP_reply",
"connection_originator_SYN_ack",
"window_recision",
"unescaped_special_URI_char",
"bad_UDP_checksum",
"data_before_established",
"inflate_failed",
"line_terminated_with_single_CR"
]] = Weird::WEIRD_IGNORE
};
Ideas?
Thanks,
-Tim
Hi,
Is there any default trace file that comes with bro1.5 ? If yes, what is it
, and in which dir i can find, so that i can check whether bro is working
properly or not . I have a trace file which has problem.
thanks,
vijay khadse