[Bro] UDP contents

Mon Jan 29 15:15:27 PST 2007

Hi Mike,

it doesn't look like you're doing anything wrong. However, I've just
tried dumping some UDP contents with Bro 1.2.1 and it works fine, so we
need to figure out why it's not working for you.

I have this traffic:

22:26:10.089582 IP 1.2.3.211.53 > 200.33.146.222.32789:  3628*- 1/4/4 PTR [...]. (245)
22:26:10.089582 IP 1.2.3.211.32789 > 200.33.146.222.53:  18275 A? [...]. (44)
22:26:10.229573 IP 1.2.3.211.53 > 200.33.146.222.32789:  18275*- 1/3/3 A [...] (187)
22:30:39.981424 IP 1.2.3.211.32789 > 200.33.146.222.53:  36142 PTR? [...]. (44)
22:30:40.141413 IP 1.2.3.211.53 > 200.33.146.222.32789:  36142* 1/2/2 PTR [...]. (16
22:30:40.151412 IP 1.2.3.211.32789 > 200.33.146.222.53:  20837 A? [...]. (52)
22:30:40.311401 IP 1.2.3.211.53 > 200.33.146.222.32789:  20837 NXDomain* 0/1/0 (120)

and this policy, in which I don't print out the contents, but have added
output of the is_orig flag that shows the directionality of the packet:

----
global dop = open_log_file("dop") &redef;

event udp_contents(u: connection, is_orig: bool, contents: string){
  local id = u$id;
  print dop, fmt("KDC %s %s %s",id$orig_p,id$resp_p, is_orig);
}
----

I get output from both directions as expected:

KDC 32789/udp 53/udp F
KDC 32789/udp 53/udp T
KDC 32789/udp 53/udp F
KDC 32789/udp 53/udp T
KDC 32789/udp 53/udp F
KDC 32789/udp 53/udp T
KDC 32789/udp 53/udp F

Could validate via is_orig whether you see the right directions, and use
Bro 1.2.1 for your tests?

On Mon, 2007-01-29 at 14:22 -0600, Mike Dopheide wrote:
> I'm having a slight problem getting the contents of Kerberos UDP 
> packets.  This is my first attempt at Bro so hopefully my error is 
> something simple.
[...]

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org