[Bro] TCP options of a SYN packet

Thomas Tan thomastan81 at gmail.com
Thu Nov 26 03:29:00 PST 2015


Dear Jan,

Many thanks for you reply. I am using tcp_option event. However, it seems
to me that the event can't tell which TCP options are from the SYN packet
of a connection and which ones are from other packets of the connection. I
think I will look into the TCPRS-plugin.

Best regards,

Thomas

On 26 November 2015 at 12:16, Jan Grashofer <jan.grashofer at cern.ch> wrote:

> Hi Thomas,
>
>
>
> there is the tcp_option event, that might help you (see
> https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html#id-tcp_option).
> If that does not fit for you, you might have a look into the TCPRS-plugin (
> https://github.com/bro/bro-plugins/tree/master/tcprs/scripts/Bro/TCPRS).
> I have never used it but I think it also parses some TCP options and thus
> might be a good starting point.
>
>
>
> Best regards,
>
> Jan
>
>
> ------------------------------
> *From:* bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Thomas Tan
> [thomastan81 at gmail.com]
> *Sent:* Thursday, November 26, 2015 10:18
> *To:* bro at bro.org
> *Subject:* [Bro] TCP options of a SYN packet
>
> Dear All,
>
> Just wondering if anyone knows a way (an event) to obtain TCP options of a
> SYN packet?
>
> Your help will be very much appreciated.
>
> Thank you.
>
> Best regards,
>
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151126/5b2cfe1a/attachment.html 


More information about the Bro mailing list