[Bro] nfs analysis
Christian Kreibich
christian at whoop.org
Wed Sep 26 17:04:29 PDT 2007
On Mon, 2007-09-24 at 10:39 -0700, Mike Wood wrote:
> Sadly, yes I do not get any output from nfs.bro.
>
> The tcpdump output for my trace looks like:
>
> 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> 132 getattr [|nfs]
(I feel I won't be able to give the definitive answer to this one, so
others are very welcome to jump in.)
I wonder whether it could be that Bro doesn't read all of the traffic --
check whether the resulting filter looks decent by adding
print-filter.bro at the end of your invocation?
Also, I'm wondering how the source port can be 4160508447 in your
tcpdump!?
Cheers,
Christian
--
________________________________________________________________________
http://www.icir.org/christian
http://www.whoop.org
More information about the Bro
mailing list