[Bro] Stream Extraction from Scriptland
anthony kasza
anthony.kasza at gmail.com
Tue Sep 23 19:27:23 PDT 2014
Hi Robin,
The same results occur (UDP, ICMP and TCP signalling packets are
present in the interesting.pcap file) when running:
bro -Cr sample.pcap new_test.bro -w interesting.pcap
Where sample.pcap is the previously included sample.pcap trace file
and new_test.bro includes the following code:
event new_connection(c: connection)
{
if ("DNS" in c$service) # this is surprisingly set before this
event is handled, so we can use it
{
set_record_packets(c$id, T);
} else {
set_record_packets(c$id, F);
}
}
To me, it seems the function only works with TCP connections.
-AK
On Tue, Sep 23, 2014 at 8:07 AM, Robin Sommer <robin at icir.org> wrote:
>
>
> On Tue, Sep 23, 2014 at 07:35 -0700, anthony kasza wrote:
>
>> It does seem that set_record_packets only works on TCP data packets,
>> though.
>
> Actually, I'm surprised that it works with TCP at all. The problem
> with set_record_packets() is that at the time when an event handler
> calls it, the packet may already be gone at Bro's lower levels
> (handlers are executed asynchronously and Bro doesn't buffer any
> packets).
>
> Have you tried calling set_record_packets(c$id, T) in new_connection()
> for UDP traffic? (Understood that that isn't what you want, just to
> see if it works).
>
> Regarding TM integration, the old 1.5 time machine script may actually
> still work, it has the functionality.
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
More information about the Bro
mailing list