[Bro] Extraction of IP identification field from tcpdump file

sridhar basam sri at basam.org
Tue Feb 21 08:03:27 PST 2012

On Tue, Feb 21, 2012 at 7:40 AM, Rishi Sahay <basusahay at gmail.com> wrote:
> Hello,
>  I want to extract the IP identification field from the tcpdump file. I have
> extracted header information from the packet in the tcpdump file using
> conn.bro script. But IP identification field has not been extracted. Is
> there any script available to extract the IP identification field. I am
> using BRO IDS 1.5.3. Please, help me in this regard. Thanks in advance.

Assuming you mean the 16 bit id value in the IP header. All i could
come up with is via event new_packet.

global new_packet: event(c: connection, p: pkt_hdr);


Handling new_packet is a costly event in terms of performance. I am
curious, if you don't mind, why you are tracking the ID values. Seems
like a lot to keep track of and print out.


> --
> Best regards
>   Rishikesh Sahay
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list