[Bro] tcp delay events!?
vern at icir.org
Sat Dec 31 12:17:44 PST 2011
> I tried the tcp_packet and new_packet events but it seems that
> they are not fired at every received packet.
They pretty much should indeed be generated for every received packet,
other than corner-case exceptions such as bad packet headers, or fragments
(there are a number of these). What I suspect is happening is that
the traffic you're interested in isn't matching the packet-capture filter,
so it's not being looked at in the first place. The way to check this
is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.
More information about the Bro