[Bro] using Bro as traffic analyzer.
Siwek, Jonathan Luke
jsiwek at illinois.edu
Fri Dec 9 08:16:23 PST 2011
> I have wrtie a script called local.bro which was applied to connect event connection_established & connection_first_ACK
> but it seems that the event have not triggered. I tested the script with network trace "http.pcap" provided in Bro website.
If you check reporter.log, there's some hints indicating that your c$loc optional field value is missing at the times when you try to write to the log (meaning the event handlers are actually invoked, but don't do anything because of the error). To fix it you should first check that c$loc is initialized in the handlers and also fill in any of its fields that you can. Have a look at the alterations I made in the attached file to see if it makes sense for what you were trying to do.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111209/297602dc/attachment.obj
More information about the Bro