sorry,there're something wrong with my mailer this morning.<br><br>Thank you for your answer<br><br>How does bro be aware of the close of
ftp data connection if she can't capture the corresponding tcp session
packet? via the interactive info appeared in the ftp control connection?<br>And
£¬To dynamically capture some certain traffic without including all
packet, it feels feasible to create a new thread/process to run
another bro to capture and analyze£¬but is this process so long as to
miss some packets in that certain session?<br><br>On Thu, Mar 15, 2007 at 12:01 +0800, you wrote:<br><br>> So how does it dynamically add the filter string to capture the<br>> temporary traffic?<br><br>It doesn't. Dynamically changing the BPF filter is too expensive as
<br>it would need to be recompiled every time (and the filter would<br>quickly get huge). <br><br>If you want Bro to analyze the content of ftp-data sessions, you<br>need to manually override the pcap filter to include all packets,
<br>e.g., by running with "-f tcp". <br><br>Robin<br><br>-- <br>Robin Sommer * Phone +1 (510) 931-5555 * <a href="mailto:robin@icir.org">robin@icir.org</a> <br>LBNL/ICSI * Fax +1 (510) 666-2956 * <a rel="nofollow" target="_blank" href="http://www.icir.org/">
www.icir.org</a><br><br>