[Bro] using Bro as traffic analyzer.

Readon Shaw xydarcher at 163.com
Fri Dec 9 18:10:56 PST 2011

>> I have wrtie a script called local.bro which was applied to connect event connection_established & connection_first_ACK
>> but it seems that the event have not triggered. I tested the script with network trace "http.pcap" provided in Bro website.
>If you check reporter.log, there's some hints indicating that your c$loc optional field value is missing at the times when you try to write to the log (meaning the event handlers are actually invoked, but don't do anything because of the error).  To fix it you should first check that c$loc is initialized in the handlers and also fill in any of its fields that you can.  Have a look at the alterations I made in the attached file to see if it makes sense for what you were trying to do.
That is the point.
It works now, but i didn't find reporter.log in the directory. Is there some thing important i have missing in command?

Readon Shaw

More information about the Bro mailing list