[Bro] tcp contents
vern at icir.org
Tue Nov 30 01:20:34 PST 2004
> Bad news: Although it took just a simple modification to a copy of
> "demunx_conn()", I couldn't get it to work when writing to 1 file by using
> the CONTENTS_BOTH flag.
Ah - I realized the key problem, which is that CONTENTS_BOTH is not in
fact a valid parameter for set_contents_file. The way that contents are
extracted from streams, it simply can't work. (The definition is lying
around because it's used internal to the event engine in a slightly
Is there some reason why you want to have both directions in a single file?
If so, then the way to do it is by defining a tcp_contents handler that
writes out the contents directly to a file:
event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
though this won't easily do the right thing in the presence of packet
More information about the Bro