[Bro] - ICMP not in conn.log

Seth Hall seth at corelight.com
Thu Aug 17 08:57:34 PDT 2017

On 16 Aug 2017, at 8:32, william de ping wrote:

> Anyone knows why ICMP does not appear in conn.log ?
> I see that the plugin and icmp analyzer are loaded, yet no indication 
> in
> conn.log for proto icmp.

We never created a model to include that data.  I've had it on my radar 
for a while, but unfortunately have not found the time to add it.

I was hoping to figure out a way to include the data in conn.log for 
connections where ICMP was seen in relation to a connection (like Time 
Exceeded) instead of just having them listed as separate "connections".


Seth Hall * Corelight, Inc * www.corelight.com

More information about the Bro mailing list