[Bro] getting raw bytes?

Dan Klinedinst dklinedinst at lbl.gov
Wed Aug 10 07:57:28 PDT 2011

OK, this is possibly a dumb question, but I can't find it in
documentation or existing scripts.  How can I grab a few specific
bytes from a connection?  E.g., if I want to look for successful X11
connections, I expect to see the following immediately after the TCP
header: 0100 0b00 0000.  How do I write something like:

if (c$id$resp_p == 6000)
  if (first_6_bytes_after_tcp_header == 01000b000000)
    do something

Thanks. Sorry for the noob questions.

Dan Klinedinst
Lawrence Berkeley National Laboratory
dklinedinst at lbl.gov

More information about the Bro mailing list