[Bro] "unknown connection id" error

David J. Bianco david at vorant.com
Thu Nov 6 11:37:56 PST 2008


Thanks Robin, that worked perfectly!

	David

Robin Sommer wrote:
> On Thu, Nov 06, 2008 at 10:31 -0500, David J. Bianco wrote:
> 
>> print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s
>>  %s", network_time(), id_string(c$id), get_conn_transport_proto(c$id));	
> [...]
>> Or are there some situations in which the connection might not be
>> listed in the active list?
> 
> Yes, that can happen. Event processing is decoupled from event
> generation so it might happen that at the time an event is processed
> the underlying connection has already been expunged from the
> internal session table. 
> 
> In your case, there's an easy fix, assuming the line above is the
> only problematic case. The transport protocol is also encoded inside
> the connection's port values, and there's a function to access that
> information without doing a session-table lookup,
> get_port_transport_proto().
> 
> So try something like this:
> 
>     print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s
>        %s", network_time(), id_string(c$id), get_port_transport_proto(c$id$orig_p));	
> 
> Robin
> 




More information about the Bro mailing list