Single sided HTTP POST split

Description

Attached two pcap samples, one is a single sided version of the other, an HTTP POST.

When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log

Are there any parameters I can tweak to make this work?

Environment

CentOS 6

Activity

Show:
Johanna Amann
October 22, 2015, 9:03 PM

I am closing this for now. It is one of the well-known gotchas of the current Bro implementation, that it does not deal well with one-sided traffic.

We should fix that at some point in the future - however, it will not be forgotten and extends way beyond the issues indicated in this bug. If there is any more need for discussion, feel free to re-open.

Jon Siwek
October 3, 2014, 4:54 PM

Might it be better to mark the connection as successful if data is sent?

Yeah, I think that's a nice idea – seems kind of arbitrary for Bro to close the session if it knows one side is still actively sending data.

Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?

Yes, I think that would be a concern, but there's also several other timeout mechanisms (which are also tuneable) that I'm not immediately sure would come to the rescue even if the one in question was set high.

Jimmy Jones
October 3, 2014, 3:42 PM

Thanks!

Might it be better to mark the connection as successful if data is sent? Again, for the single sided case, which I'm not sure how many people are worried about/notice? Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?

Jon Siwek
September 29, 2014, 5:08 PM

tcp_attempt_delay seems to be the relevant option.

Related: connection_attempt

Won't Fix

Assignee

Unassigned

Reporter

Jimmy Jones

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal