[Bro] tcp contents
Vern Paxson
vern at icir.org
Mon Nov 29 13:37:27 PST 2004
> In short, this is what I'm trying to do: I want to selectively save
> the payload/contents of a TCP stream to a file just based on the
> protocol/port number.
If you want to do this offline processing a trace, then it's very
easy - just "bro -f 'tcp port 80 or tcp port 25' -r trace contents",
for example.
If you want todo it online while also doing other work, then a
natural way would be something like:
global interesting_services = { smtp, http, };
event connection_established(c: connection)
{
if ( c$id$resp_p in interesting_services )
demux_conn(c$id, "interesting", "orig", "resp");
}
(with the caveat that I haven't tested this)
Vern
More information about the Bro
mailing list