[Bro] Backdoor Analyzer for interactive traffic

Vern Paxson vern at icir.org
Tue Nov 14 13:46:59 PST 2006

> According to the paper, the filter (ip[2:2] - 
> ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all 
> "small" packets. However, when I print the capture filter using 
> print-filter analyzer, I cannot see this filter being loaded. How and 
> when is this filter loaded? I want to be able to detect interactive 
> connections on any random port.

In your wrapper script, add

	redef capture_filters += {
		["interconn"] =
			"(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20"

to explicitly set the filter.


More information about the Bro mailing list