[Bro] Artificial SYN-Packets?

Vern Paxson vern at icir.org
Tue Jun 9 04:42:08 PDT 2009


Okay, I analyzed this, and the answer is that the connection compressor
can't generate new_packet events for some packets because new_packet
requires an associated connection (first parameter to the event handler),
and the point of the compressor is to not initially create connections.
It can't really fake up a new_packet event in this context once it does
create the connection, because it has (deliberately) lost the interesting
detail.

Your script should work as expected if you run it with
use_connection_compressor=F.  Perhaps the presence of a new_packet
event handler should turn off the compressor automatically; or
perhaps we should change new_packet to not have an associated
connection (though I imagine that would often prove inconvenient).

		Vern



More information about the Bro mailing list