[Bro] Stream Extraction from Scriptland

Robin Sommer robin at icir.org
Tue Sep 23 08:07:23 PDT 2014



On Tue, Sep 23, 2014 at 07:35 -0700, anthony kasza wrote:

> It does seem that set_record_packets only works on TCP data packets,
> though.

Actually, I'm surprised that it works with TCP at all. The problem
with set_record_packets() is that at the time when an event handler
calls it, the packet may already be gone at Bro's lower levels
(handlers are executed asynchronously and Bro doesn't buffer any
packets).

Have you tried calling set_record_packets(c$id, T) in new_connection()
for UDP traffic? (Understood that that isn't what you want, just to
see if it works).

Regarding TM integration, the old 1.5 time machine script may actually
still work, it has the functionality.

Robin


-- 
Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin



More information about the Bro mailing list