[Bro] TCP Partial Connection
Vern Paxson
vern at icir.org
Thu Nov 9 00:33:22 PST 2006
> When I run capture files with a few TCP (HTTP) packets, without the
> handshake packets the HTTP event handlers were not called in this case. I
> suppose BRO will recognize it as TCP packet and then do nothing with the
> packet.
>
> How does BRO handle this TCP packets without handshake packets?
It is customized per analyzer. Some analyzers designate that they
can analyze partial connections, while others cannot. (It boils down
to how likely is the analyzer to be able to synchronize its parsing
given it's starting in the middle of a connection.)
Vern
More information about the Bro
mailing list