<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- 原始邮件 ----<br>发件人: Robin Sommer <robin@icir.org><br>收件人: ?$B7'1JJ? <john8xyp@yahoo.com.cn><br>抄送: Bro@bro-ids.org; bro@ICSI.Berkeley.EDU<br>已发送: 2007/3/16(周五), 上午3:09:57<br>主题: Re: [Bro] How does Bro capture the traffic of ftp data connection ?<br><br>Thank you for your answer<br><br>How does bro be aware of the close of ftp data connection if she can't capture the corresponding tcp session packet? via the interactive info appeared in the ftp control connection?<br>And ,To dynamically capture some certain traffic without including all packet, it feels feasible to create a
new thread/process to run another bro to capture and analyze,but is this process so long as to miss some packets in that certain session?<br><div><br>On Thu, Mar 15, 2007 at 12:01 +0800, you wrote:<br><br>> So how does it dynamically add the filter string to capture the<br>> temporary traffic?<br><br>It doesn't. Dynamically changing the BPF filter is too expensive as<br>it would need to be recompiled every time (and the filter would<br>quickly get huge). <br><br>If you want Bro to analyze the content of ftp-data sessions, you<br>need to manually override the pcap filter to include all packets,<br>e.g., by running with "-f tcp". <br><br>Robin<br><br>-- <br>Robin Sommer * Phone +1 (510) 931-5555 * robin@icir.org <br>LBNL/ICSI * Fax +1 (510) 666-2956 * <a target="_blank" href="http://www.icir.org">www.icir.org</a><br></div></div><br></div></div><br>
<hr size=1><a href="http://cn.mail.yahoo.com" target=blank>抢注雅虎免费邮箱-3.5G容量,20M附件!</a> </body></html>