[Bro] Event for syn-ack packet

Vern Paxson vern at icir.org
Wed May 23 10:02:02 PDT 2012


> Thanks. I thought the event connection_established was generated after the
> initial 3-way handshake is completed as mentioned here:

Yeah, that's in fact a documentation glitch :-(.  That describes what
probably *should* be done, but in fact the event is generated on seeing
the SYN-ACK (I just double-checked the code).  I wrote it that way eons
ago when Bro often operated on TCP streams that had been filtered to
SYN/FIN/RST packets only, which meant it wouldn't see the pure ACK completing
the handshake.

		Vern



More information about the Bro mailing list