[Bro] Re: How does Bro capture the traffic of ftp data connection ?

Yongping Xiong yongping.xiong at gmail.com
Thu Mar 15 23:39:34 PDT 2007


sorry,there're something wrong with my mailer this morning.

Thank you for your answer

How does bro be aware of the close of ftp data connection if she can't
capture the corresponding tcp session packet? via the interactive info
appeared in the ftp control connection?
And ,To dynamically capture some certain traffic without including all
packet,  it feels feasible to create a new thread/process to run another bro
to capture and  analyze,but  is this process so long as to miss some packets
in that certain session?

On Thu, Mar 15, 2007 at 12:01 +0800, you wrote:

>    So how does it dynamically add the filter string to capture the
> temporary traffic?

It doesn't. Dynamically changing the BPF filter is too expensive as
it would need to be recompiled every time (and the filter would
quickly get huge).

If you want Bro to analyze the content of ftp-data sessions, you
need to manually override the pcap filter to include all packets,
e.g., by running with "-f tcp".

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070316/5f040bd8/attachment.html 


More information about the Bro mailing list