[Bro] How does Bro capture the traffic of ftp data connection ?
Robin Sommer
robin at icir.org
Thu Mar 15 12:09:57 PDT 2007
On Thu, Mar 15, 2007 at 12:01 +0800, you wrote:
> So how does it dynamically add the filter string to capture the
> temporary traffic?
It doesn't. Dynamically changing the BPF filter is too expensive as
it would need to be recompiled every time (and the filter would
quickly get huge).
If you want Bro to analyze the content of ftp-data sessions, you
need to manually override the pcap filter to include all packets,
e.g., by running with "-f tcp".
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list