[Bro] Bro as a fancy pcap filter
Ruoming Pang (庞若鸣)
rpang at cs.princeton.edu
Mon Nov 21 18:15:20 PST 2005
> I just bumped into a situation where I wanted to tell Bro to record
> packets to an output pcap file, but do so only under certain
> circumstances. In my case this essentially boiled down to "only the
> first packet in a 5-tuple TCP/UDP flow that carries app-layer data",
> but
> let's imagine any decision that depends on policy- or in-core state.
>
> I got it to work by hacking around in the core, but it wasn't pretty.
> Does Bro have a mechanism for doing this nicely? In the rewriter
> framework, maybe (is that documented anywhere btw)? Thanks!
Yes, there's some primitive mechanism to do that. Sorry, it's
undocumented, but let me give it a try here:
# Set the flag to true to enable "TCP source packet writer" (sorry, no
UDP)
# All packets will be kept until they are dumping or end of connection.
So please be very careful in using it for live traffic.
redef dump_selected_source_packets = T;
event tcp_packet(c: connection, ...)
{
if ( <this is the first packet of the connection carrying some
data> )
dump_packets_of_connection(c); # dump all packets up to
this point for connection c.
}
And you can imagine calling dump_packets_of_connection() in all kinds
of other events.
Currently there's no built-in function to discard packets that we do
not want to dump (so there's no way to dump the exact 10th packet of a
connection), but the code is already there (see class
TCP_SourcePacketWriter), so it's fairly simple to implement.
Ruoming
More information about the Bro
mailing list