[Bro-Dev] Find filtered traces?
jsiwek at illinois.edu
Tue Jun 23 09:22:16 PDT 2015
> On Jun 22, 2015, at 3:50 PM, Seth Hall <seth at icir.org> wrote:
> I’ve been noticing this message...
> 1232039469.548925 warning in ~/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
> I have looked at the script yet, but I’ve seen it often enough with traces that I generally think of as “normal” that I suspect there is something buggy in the script. Anyone have any ideas?
Here’s some history of the decision to add that script if that’s what you’re looking for:
But as far as whether the script actually miss-detects that situation, I also didn’t look closely enough to know — feel free to send pcaps if you still find the behavior fishy/not-obvious.
More information about the bro-dev