Hello Again I was trying to figure out the tcp/udp flag in conn.bro:record_connection from is_tcp_port and I got as far as bro.bif before I got lost. I was looking at the iana.org site and it looks like it's a pretty degenerate test, i.e., all the ports can be either. How does bro determine tcp vs udp? thanks Mike