[Bro] Traffic analysis by Bro

Robin Sommer robin at icir.org
Fri Nov 10 09:10:41 PST 2006


On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote:

> What traffic does Bro monitor by default (i.e. what pcap capture filter 
> does it use)?

It builds the pcap filter dynamically at startup depending on which
scripts you load. Just load the script print-filter to see how it
looks like in your particular setup. 

> Does this modify the global filter? I mean do all the policy scripts 
> (and not only my script) see the SSH traffic?

Yes. Yes. There's always only one pcap filter in use. 

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list