[Bro] tcp delay events!?
Khaled El Dassouki
ke17 at aub.edu.lb
Tue Jan 3 03:56:06 PST 2012
Thank you for your quick feedback. It worked and my problem is solved.
Btw: I suspected my traces (I am using the MAWI traces) so I tried the
new_packets and tcp_packets events on the ftp.traces used in your last
workshop. The result was the same. However there is another thing that
I would like to point to is when using the tcp_packet event handler.
The event is fired two times at the same moment (network_time()) for
the SYN and the SYN ACK message. Is it normal? I will manage to use
during this stage the new_connection and the connection established
I will be using Bro for the rest of my phd (it is a great tool), my
next step will be targeting VOIP and mainly SIP, is there any SIP
analyser for Bro?
Quoting Vern Paxson <vern at ICIR.org>:
>> I tried the tcp_packet and new_packet events but it seems that
>> they are not fired at every received packet.
> They pretty much should indeed be generated for every received packet,
> other than corner-case exceptions such as bad packet headers, or fragments
> (there are a number of these). What I suspect is happening is that
> the traffic you're interested in isn't matching the packet-capture filter,
> so it's not being looked at in the first place. The way to check this
> is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.
More information about the Bro