[Bro] Re?? How does Bro capture the traffic of ftp data connection ?

Robin Sommer robin at icir.org
Fri Mar 16 09:34:31 PDT 2007

On Fri, Mar 16, 2007 at 14:39 +0800, Yongping Xiong wrote:

> How does bro be aware of the close of ftp data connection if she can't
> capture the corresponding tcp session packet?

By default Bro captures *all* TCP control packets (SYNs/FINs/RSTs)
and will therefore know about the ftp-data connection. However, it
does not capture any payload packets of the data connection.

> And ??To dynamically capture some certain traffic without including all
> packet,  it feels feasible to create a new thread/process to run another bro
> to capture and  analyze

The second Bro still would have the same problem that it needs to
adapt its filter on the fly. And yes, the latency of the
communication would quite likely lead to missed packets. 

But we are working on another solution to the problem: we're in the
process of interfacing Bro with our time machine[1]. Bro will be
able to query the TM for the ftp-data connection once is has parsed
the control sessions. 


[1] http://www.net.t-labs.tu-berlin.de/research/tm

Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list