[Bro] "unknown connection id" error
David J. Bianco
david at vorant.com
Thu Nov 6 11:37:56 PST 2008
Thanks Robin, that worked perfectly!
Robin Sommer wrote:
> On Thu, Nov 06, 2008 at 10:31 -0500, David J. Bianco wrote:
>> print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s
>> %s", network_time(), id_string(c$id), get_conn_transport_proto(c$id));
>> Or are there some situations in which the connection might not be
>> listed in the active list?
> Yes, that can happen. Event processing is decoupled from event
> generation so it might happen that at the time an event is processed
> the underlying connection has already been expunged from the
> internal session table.
> In your case, there's an easy fix, assuming the line above is the
> only problematic case. The transport protocol is also encoded inside
> the connection's port values, and there's a function to access that
> information without doing a session-table lookup,
> So try something like this:
> print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s
> %s", network_time(), id_string(c$id), get_port_transport_proto(c$id$orig_p));
More information about the Bro