[Bro] nfs analysis

Christian Kreibich christian at whoop.org
Wed Sep 26 17:04:29 PDT 2007

On Mon, 2007-09-24 at 10:39 -0700, Mike Wood wrote:
> Sadly, yes I do not get any output from nfs.bro.
> The tcpdump output for my trace looks like:
> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]

(I feel I won't be able to give the definitive answer to this one, so
others are very welcome to jump in.)

I wonder whether it could be that Bro doesn't read all of the traffic --
check whether the resulting filter looks decent by adding
print-filter.bro at the end of your invocation?

Also, I'm wondering how the source port can be 4160508447 in your


More information about the Bro mailing list