[Bro] is_tcp_port
Christian Kreibich
christian at whoop.org
Wed Aug 3 13:41:26 PDT 2005
On Wed, 2005-08-03 at 14:34 -0500, Mike Muratet wrote:
> Hello Again
>
> I was trying to figure out the tcp/udp flag in conn.bro:record_connection
> from is_tcp_port and I got as far as bro.bif before I got lost.
The functions listed in .bif files are Built-In Functions, i.e.,
functions implemented in the core. To find such a function's
implementation, go to the src directory, and find the corresponding .bif
file, in this case bro.bif, which shows:
function is_tcp_port%(p: portval%): bool
%{
return new Val(p->IsTCP(), TYPE_BOOL);
%}
Next you need to know that a portval in the policy is mapped to a
PortVal object in the core, so the implementation of PortVal::IsTCP() is
found in Val.cc.
> I was
> looking at the iana.org site and it looks like it's a pretty degenerate
> test, i.e., all the ports can be either.
Yeah sure, both UDP and TCP can have ports 0-65535.
> How does bro determine tcp vs udp?
>From looking at the IP header of the sniffed packets, which tell Bro
what protocol is at the transport layer. Check NetSessions::DoNextPacket
around line 436 and Stevens' TCP/IP Illustrated Vol 1 for details.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list