[Bro] Fragmentation and TCP overlapping Issues

Vern Paxson vern at icir.org
Wed Dec 8 21:06:43 PST 2010


> All fragment events are handle by flow weird. When is invoked flow
> weird handler?

It's only used for packets that are so broken that Bro can't reliably
associate them with a connection.

> How can I redef these variables? I tried to redef this variables on
> my start policy but all I get are errors ((port and 21): error,

If you want TCP port 21 then you specify it as "21/tcp", not just "21".

		Vern



More information about the Bro mailing list