[Bro] Fragmentation and TCP overlapping Issues
vern at icir.org
Mon Dec 6 09:51:44 PST 2010
> Regarding fragmentation (question 1), I am running bro with this command:
> bro $files todai-nets -f "tcp or udp or icmp" dpd_conn_logs=T dpd
> detect-protocols dyn-disable detect-protocols-http proxy ssh irc-bot brolite
> print-globals capture-loss
What happens when you use
bro ... -f "tcp or udp or icmp or (ip[6:2] & 0x3fff != 0)" ...
> The variable $files contains 300 consecutive captured files (pcap) of 4 Gb
> each. In this experiment I am not getting any "fragment" event.
Again, we really need trace snippets to diagnose problems like these. You
should extract a small subset of the trace that you believe should cause
behavior different from what Bro does.
More information about the Bro