[Bro] Extraction of IP identification field from tcpdump file
sridhar basam
sri at basam.org
Tue Feb 21 08:03:27 PST 2012
On Tue, Feb 21, 2012 at 7:40 AM, Rishi Sahay <basusahay at gmail.com> wrote:
> Hello,
>
> I want to extract the IP identification field from the tcpdump file. I have
> extracted header information from the packet in the tcpdump file using
> conn.bro script. But IP identification field has not been extracted. Is
> there any script available to extract the IP identification field. I am
> using BRO IDS 1.5.3. Please, help me in this regard. Thanks in advance.
>
Assuming you mean the 16 bit id value in the IP header. All i could
come up with is via event new_packet.
global new_packet: event(c: connection, p: pkt_hdr);
pkt_hdr$ip$id
Handling new_packet is a costly event in terms of performance. I am
curious, if you don't mind, why you are tracking the ID values. Seems
like a lot to keep track of and print out.
Sridhar
> --
> Best regards
> Rishikesh Sahay
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list