[Bro] Handling connections missing TCP handshake

Thomas, Eric D edthoma at sandia.gov
Tue Jul 8 08:44:27 PDT 2014


I have a pcap with a bunch of HTTP connections. The TCP handshake (SYN, SYN-ACK, ACK) is missing for most of those connections. When processing the PCAP with a default bro config, those HTTP sessions missing the handshake are not logged in http.log (I can see the GET requests and HTTP responses in the PCAP). Is there an easy way to get Bro’s HTTP analyzer to process them anyway?
--
Eric Thomas
edthoma at sandia.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140708/31c39319/attachment.html 


More information about the Bro mailing list