> One way is through event tcp_packet: > ... > But please note that it requires a per-TCP-packet event and thus only > works for low volume traffic. Yes. And, more generally, this sort of low-level analysis is not what Bro is designed for. If all you want to do is count URG packets, a simple tcpdump filter is much more efficient. Vern