[Bro] UDP contents

Mike Dopheide dopheide at ncsa.uiuc.edu
Mon Jan 29 12:22:26 PST 2007

I'm having a slight problem getting the contents of Kerberos UDP 
packets.  This is my first attempt at Bro so hopefully my error is 
something simple.

Bro version 1.1d

When a client requests an initial kerberos ticket it sends a request to 
the server (AS_REQ) and the server reply is usually either the ticket or 
an error.  I want to watch the initial AS_REQ, but all I'm seeing is the 
response from the server.

In this case, /tmp/trace2.out is a tcpdump of a couple kerberos requests 
  from the client's perspective and the AS_REQ's are there when looking 
at the dump via ethereal.

/usr/local/bro/bin/bro -r /tmp/trace2.out hostname.bro

======  policy/bro.init  =============
const udp_content_deliver_all_orig = T &redef;
const udp_content_deliver_all_resp = T &redef;
======  site/hostname.bro ========
@prefixes = local
@load site
@load conn.bro    # not really needed

global dop = open_log_file("dop") &redef;

event udp_contents(u: connection, is_orig: bool, contents: string){
   local id = u$id;

        print dop, fmt("KDC %s %s",id$orig_p,id$resp_p);
        print dop, fmt("contents %s",contents);

Sample output from one of the requests, this is the server responding 
back to the client.  Again, Bro is running on the client.

KDC 32898/udp 88/udp

Any thoughts?  Is it just because the AS_REQ is outgoing on the system 
where Bro is running?  (And why would that matter?)


More information about the Bro mailing list