[Bro] Event for syn-ack packet

Sheharbano Khattak sheharbano.k at gmail.com
Wed May 23 09:58:44 PDT 2012

Thanks. I thought the event connection_established was generated after the
initial 3-way handshake is completed as mentioned here:


On Wed, May 23, 2012 at 9:42 PM, Vern Paxson <vern at icir.org> wrote:

> To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate
> connection_established.  It doesn't actually look for a full 3-way
> handshake
> (i.e., an ACK of the SYN-ACK).  Does that help?  Alternatively, if you have
> traces you can share that demonstrate a failure to get the
> connection_established event, then we can look into just what's going on.
>                Vern

Sheharbano Khattak

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120523/bad0e5d5/attachment.html 

More information about the Bro mailing list