[Bro] getting raw bytes?
Dan Klinedinst
dklinedinst at lbl.gov
Wed Aug 10 07:57:28 PDT 2011
OK, this is possibly a dumb question, but I can't find it in
documentation or existing scripts. How can I grab a few specific
bytes from a connection? E.g., if I want to look for successful X11
connections, I expect to see the following immediately after the TCP
header: 0100 0b00 0000. How do I write something like:
if (c$id$resp_p == 6000)
if (first_6_bytes_after_tcp_header == 01000b000000)
do something
?
Thanks. Sorry for the noob questions.
Dan
--
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst at lbl.gov
More information about the Bro
mailing list