[Bro] get TCP payload of first ACK from client

Xu Zhang zhangxu1115 at gmail.com
Fri Jun 23 15:47:45 PDT 2017


I'm writing a bro script to output TCP payload of first ack from client
(is_orig = True),
I'm currently using tcp_packet event, check the ack flag and payload length
as well as if it is the first ack. I'm wondering if there is a cheaper way
to achieve this, since tcp_packet is pretty expensive.

I cannot use connection_first_ACK event because it does not give me the
actual TCP payload.
I cannot use ssl_client_hello because i want to handle not only ssl.

Does anyone have suggestions? Thanks for the help!

Xu Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170623/afee466f/attachment.html 

More information about the Bro mailing list