[Bro] Traffic analysis by Bro

Abhinay Kampasi abhinay at cs.utexas.edu
Thu Nov 9 10:32:31 PST 2006


What traffic does Bro monitor by default (i.e. what pcap capture filter 
does it use)?

Suppose one of the policy scripts redefines the capture filter to 
monitor SSH traffic as follows:

"redef capture_filters += { ["xxxx"] = "tcp port 22" };"

Does this modify the global filter? I mean do all the policy scripts 
(and not only my script) see the SSH traffic?


