[
https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24803#comment-24803
]
Justin Azoff commented on BIT-1545:
-----------------------------------
The other thing to keep in mind is how this affects missed_bytes and capture
loss.
When I do shunting with the Arista I allow control packets through which lets
most counters work, the only issue is the missed_bytes ends up being huge
because bro thinks we are dropping all the packets.
> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
> Key: BIT-1545
> URL: https://bro-tracker.atlassian.net/browse/BIT-1545
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.4
> Environment: Ubuntu 14.04 LTS, myricom 10g capture card
> Reporter: Jason Carr
> Assignee: Johanna Amann
> Labels: logging
> Fix For: 2.5
>
> Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while
> running with broctl but it does log to weird.log and ssh.log but nothing to
> conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with
> an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log
> output.
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it
> works as expected.
> Attached is the SSH connection outbound pcap.
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
