[Bro] tcp contents

Vern Paxson vern at icir.org
Tue Nov 30 01:20:34 PST 2004


> Bad news:  Although it took just a simple modification to a copy of
> "demunx_conn()", I couldn't get it to work when writing to 1 file by using
> the CONTENTS_BOTH flag.

Ah - I realized the key problem, which is that CONTENTS_BOTH is not in
fact a valid parameter for set_contents_file.  The way that contents are
extracted from streams, it simply can't work.  (The definition is lying
around because it's used internal to the event engine in a slightly
different context.)

Is there some reason why you want to have both directions in a single file?
If so, then the way to do it is by defining a tcp_contents handler that
writes out the contents directly to a file:

event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)

though this won't easily do the right thing in the presence of packet
loss/retransmission.

		Vern



More information about the Bro mailing list