[Bro] tcp delay events!?

Vern Paxson vern at icir.org
Sat Dec 31 12:17:44 PST 2011


> I tried the tcp_packet and new_packet events but it seems that  
> they are not fired at every received packet.

They pretty much should indeed be generated for every received packet,
other than corner-case exceptions such as bad packet headers, or fragments
(there are a number of these).  What I suspect is happening is that
the traffic you're interested in isn't matching the packet-capture filter,
so it's not being looked at in the first place.  The way to check this
is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.

		Vern



More information about the Bro mailing list