-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discrepancies between TCPFlow v1.5.1 and v1.6.1 number of flows. Violations occurring with 1.6.1 but not with 1.5.1 as well. #258
Comments
Thanks for the update. Which is the correct result? The version that you were getting with 1.5.1 or with 1.6.1 ? |
I believe 1.5.1 is correct and the SYN scans are causing erroneous flows for 1.6.1. Some of the additional flows that 1.6.1 list contain no data which makes since for a SYN scan. |
Have we been able to figure out what caused the error, and if that code was put in place for other reasons? |
Your writeup is useful but I want to know three things that you do not make clear: |
Sorry, my programming skills are rusty. I haven't looked at the source code. I do think the issue relates to indicating a flow exist when the 3 way handshake hasn't completed. From the pcap I am using, looks like flows are showing up when the attacker scans a closed port (SYN, ACK-RST) although the number of flows are inconsistent. Note the two images attached. Flow to port 2348 is listed 3 times but in the Wireshark image, that flow looks like the other ACK-RST flows. I don't know why it shows up 3 times and the others don't. No problem. |
I'm excited that you are engaged here. I'm happy to work with you to improve you C++ skills if you wish. |
I just recently upgraded from TCPFlow 1.5.1 to 1.6.1. After running each version of tcpflow on the same pcap file, I'm getting different results. I'm trying to figure out why the discrepancies. For example when I run v1.6.1 I get some TCP PROTOCOL VIOLATION: SYN with data! messages that I don't get with 1.5.1. Also, the number of flows are different for each version. The pcap includes SYN scan data. I'm wondering if this is causing the differences. Can someone help me understand why these differences are occurring? Thank you!
The attached pdf file includes the issues experienced with screenshots. The zip file is the pcap I'm running each version of tcpflow against.
TCPFlow version discrepancies.pdf
intrusion.zip
The text was updated successfully, but these errors were encountered: