Analyzers fail to attach when SYN missing

Description

When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached.

1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty)

I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP).

I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of

tshark is happy to tell me there is SSL inside, so looks like there is a hope.

1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443→54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=1 Ack=1 Win=53248 Len=0
3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello
4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0
5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello
6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU]
7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0
8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate
9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data
12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data
13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0
14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0
15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert
16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0
17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0

Environment

None

Assignee

Johanna Amann

Reporter

Michal Purzynski

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure