[Bro] Attributes and Ports Questions
anthony kasza
anthony.kasza at gmail.com
Thu Oct 30 08:40:02 PDT 2014
Thanks for the explanations, Jon.
-AK
On Oct 29, 2014 12:35 PM, "Siwek, Jon" <jsiwek at illinois.edu> wrote:
>
> > On Oct 28, 2014, at 8:10 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
> >
> > What is the purpose of the unknown port type?
>
> It should mostly be used internally to signify an uninitialized/invalid
> transport protocol. I don’t think it’s common for that to actually be
> exposed to the scripting-layer for practical usage.
>
> > And why do they only
> > range from 0-255? Compare the results of the following commands.
> > bro -e 'print 0/unknown; print 255/unknown;'
> > bro -e 'print 0/unknown; print 255/unknown; print 256/unknown;’
>
> Likely arbitrary and just due to copy-paste of the code that parses ICMP
> port literals (for ICMP, Bro uses 0-255 to correspond to the Type/Code
> values).
>
> > How are ports flattened? See the results of the following command.
> > bro -e 'print 0/udp; print |0/udp|; print |32/tcp|; print |11/tcp|;
> > print |132/unknown|; print 132/unknown;'
>
> Internally, a port is a single uint64 with some of the high-bits set to
> indicate which port-space it belongs to. You’re seeing that value here.
> E.g.
>
> $ bro -e 'print |32/tcp| == 0x10000 + 32'
> T
> $ bro -e 'print |37/udp| == 0x20000 + 37’
> T
>
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141030/1c58ec35/attachment.html
More information about the Bro
mailing list