[Bro] tcp delay events!?

Khaled El Dassouki ke17 at aub.edu.lb
Tue Jan 3 03:56:06 PST 2012


Hello,
Thank you for your quick feedback. It worked and my problem is solved.
Btw: I suspected my traces (I am using the MAWI traces) so I tried the  
new_packets and tcp_packets events on the ftp.traces used in your last  
workshop. The result was the same. However there is another thing that  
I would like to point to is when using the tcp_packet event handler.  
The event is fired two times at the same moment (network_time()) for  
the SYN and the SYN ACK message. Is it normal? I will manage to use  
during this stage the new_connection and the connection established  
events.
I will be using Bro for the rest of my phd (it is a great tool), my  
next step will be targeting VOIP and mainly SIP, is there any SIP  
analyser for Bro?
Thanks again,
Khaled.



Quoting Vern Paxson <vern at ICIR.org>:

>> I tried the tcp_packet and new_packet events but it seems that
>> they are not fired at every received packet.
>
> They pretty much should indeed be generated for every received packet,
> other than corner-case exceptions such as bad packet headers, or fragments
> (there are a number of these).  What I suspect is happening is that
> the traffic you're interested in isn't matching the packet-capture filter,
> so it's not being looked at in the first place.  The way to check this
> is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.
>
> 		Vern
>





More information about the Bro mailing list