[Bro] UDP contents

[Mike Dopheide]

I'm having a slight problem getting the contents of Kerberos UDP 
packets.  This is my first attempt at Bro so hopefully my error is 
something simple.

Bro version 1.1d

When a client requests an initial kerberos ticket it sends a request to 
the server (AS_REQ) and the server reply is usually either the ticket or 
an error.  I want to watch the initial AS_REQ, but all I'm seeing is the 
response from the server.

In this case, /tmp/trace2.out is a tcpdump of a couple kerberos requests 
  from the client's perspective and the AS_REQ's are there when looking 
at the dump via ethereal.


/usr/local/bro/bin/bro -r /tmp/trace2.out hostname.bro

======  policy/bro.init  =============
...
const udp_content_deliver_all_orig = T &redef;
const udp_content_deliver_all_resp = T &redef;
...
======  site/hostname.bro ========
@prefixes = local
@load site
@load conn.bro    # not really needed

global dop = open_log_file("dop") &redef;

event udp_contents(u: connection, is_orig: bool, contents: string){
   local id = u$id;

        print dop, fmt("KDC %s %s",id$orig_p,id$resp_p);
        print dop, fmt("contents %s",contents);
}
===========================

Sample output from one of the requests, this is the server responding 
back to the client.  Again, Bro is running on the client.

KDC 32898/udp 88/udp
contents 
~\x82^A^I0\x82^A^E\xa0^C^B^A^E\xa1^C^B^A\x1e\xa2^Q^X^O20070125213047Z\xa4^Q^X^O20070125213048Z\xa5^E^B^C^F\x80\xb5\xa6^C^B^A^Y\xa7^J\x1b^HNCSA.EDU\xa8^U0^S\xa0^C^B^A^A\xa1^L0^J\x1b^Hdopheide\xa9^J\x1b^HNCSA.EDU\xaa\x1d0\x1b\xa0^C^B^A\0\xa1^T0^R\x1b^Fkrbtgt\x1b^HNCSA.EDU\xab^Q\x1b^ONEEDED_PREAUTH\0\xacf^Dd0b0^I\xa1^C^B^A^B\xa2^B^D\00J\xa1^C^B^A^S\xa2C^DA0?0^E\xa0^C^B^A^R0^E\xa0^C^B^A^P0^E\xa0^C^B^A^A0^E\xa0^C^B^A^C0^I\xa0^C^B^A^A\xa1^B\x1b\00^V\xa0^C^B^A^A\xa1^J\x1b^HNCSA.EDU\xa2^C^D^A^A0^I\xa1^C^B^A^M\xa2^B^D\0

Any thoughts?  Is it just because the AS_REQ is outgoing on the system 
where Bro is running?  (And why would that matter?)

-Mike