[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] nfs analysis
From: Vern Paxson <vern () icir ! org>
Date: 2007-10-11 18:59:47
Message-ID: 200710111859.l9BIxqQH024608 () pork ! ICSI ! Berkeley ! EDU
[Download RAW message or body]
Sorry for the delay on following up on this.
> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]
Whenever tcpdump displays "|xxx", it means that the packet was truncated
due to a snapshot limitation. Bro can't analyze such packets at the
application level. So you need to capture traffic using tcpdump -s 0 to
turn off the limited snapshot.
Note, the funky port number its showing is the NFS file handle (or maybe
it's the RPC transaction ID - I forget which) - a tcpdump feature. So
I'm not sure what to make about your later comment that this was a tcpdump
bug ...
> 1190415715.190522 weird: bad_RPC
> 1190415715.190781 weird: unpaired_RPC_response
These arise because Bro can't fully parse the RPC.
Vern
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic