[Bro] Partial tcpdump traces
Danny Nechay
d.nechay at gmail.com
Tue Apr 22 23:18:23 PDT 2008
Hi,
could you possibly point me towards which files or functions I should look
at to get rid of these sanity checks? I know I'm not exactly using Bro for
its proper use - I just need it to provide a ground truth for all flows
inside of a trace. So far I've had no problems with full tcpdump traces, but
if I could just find a way for it to handle partial tcpdump traces then it
would suit my needs perfectly.
Thanks.
Daniel.
On Tue, Apr 22, 2008 at 6:02 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Tue, Apr 22, 2008 at 08:36 -0700, I wrote:
>
> > I think yes, it should. My guess would have also been that it's the
> > checksum check which prevents Bro from doing the matching. I'll try
> > it later to see what I can find.
>
> So I looked briefly into this: there are more sanity checks inside
> the TCP analyzer which prevent the payload from reaching the
> signature engine. Nothing we'd really want to change though I think.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080423/44bc69bf/attachment.html
More information about the Bro
mailing list