AnsweredAssumed Answered

HTTP Response no HTTP Request same TCP session?

Question asked by KEVIN DIENST on Aug 16, 2017
Latest reply on Aug 17, 2017 by Christopher Ahearn

I ran into a problem during an investigation where one of our analysts was unable to identify the network session in NetWitness, but had a packet from the IDS supporting a SQLi attempt. 


Basically I was able to isolate the network session in NetWitness but IDS reported TCP src port as 57702, whereas I only found the HTTP request via TCP src port 57710. When I query NetWitness for 57702 I see an event where service = 80 && tcpflags = 'syn' && action !exists && result.code exists. I see the http RESPONSE only in the pcap from netwitness, not the full request/response I expect. 


Example of the pcap in wireshark. 


Has anyone seen this before?


If I run that query against all my packet flows I get millions of sessions. 


service = 80 && tcpflags = 'syn' && action !exists && result.code exists


What is this traffic? I would expect that every HTTP session has a request/response and thus the HTTP method. 


What am I missing? Is this potentially continuation traffic? Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?