AnsweredAssumed Answered

HTTP Response no HTTP Request same TCP session?

Question asked by KEVIN DIENST on Aug 16, 2017
Latest reply on Aug 17, 2017 by Christopher Ahearn

I ran into a problem during an investigation where one of our analysts was unable to identify the network session in NetWitness, but had a packet from the IDS supporting a SQLi attempt. 

 

Basically I was able to isolate the network session in NetWitness but IDS reported TCP src port as 57702, whereas I only found the HTTP request via TCP src port 57710. When I query NetWitness for 57702 I see an event where service = 80 && tcpflags = 'syn' && action !exists && result.code exists. I see the http RESPONSE only in the pcap from netwitness, not the full request/response I expect. 

 

Example of the pcap in wireshark. 

 

Has anyone seen this before?

 

If I run that query against all my packet flows I get millions of sessions. 

 

service = 80 && tcpflags = 'syn' && action !exists && result.code exists

 

What is this traffic? I would expect that every HTTP session has a request/response and thus the HTTP method. 

 

What am I missing? Is this potentially continuation traffic? Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?

Outcomes