> I got lost. I was > looking at the iana.org site and it looks like it's a pretty degenerate > test, i.e., all the ports can be either. How does bro determine tcp vs udp? Internally, it sets bit 17 for UDP ports and bit 18 for ICMP "ports". See UDP_PORT_MASK and ICMP_PORT_MASK in Val.h. Vern