[Bro] Backdoor Analyzer for interactive traffic
Vern Paxson
vern at icir.org
Tue Nov 14 13:46:59 PST 2006
> According to the paper, the filter (ip[2:2] -
> ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all
> "small" packets. However, when I print the capture filter using
> print-filter analyzer, I cannot see this filter being loaded. How and
> when is this filter loaded? I want to be able to detect interactive
> connections on any random port.
In your wrapper script, add
redef capture_filters += {
["interconn"] =
"(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20"
};
to explicitly set the filter.
Vern
More information about the Bro
mailing list