[Bro] TCP options of a SYN packet

Thomas Tan thomastan81 at gmail.com
Wed Dec 2 07:41:54 PST 2015 

Dear All,

I have checked out the TCPRS-plugin (
https://github.com/bro/bro-plugins/tree/master/tcprs/scripts/Bro/TCPRS).
Unfortunately, it does not do the job. It cannot get TCP options and the
order of the options down from a SYN packet. The TCP options of a SYN
packet I am concerning are described below.

# NOP option
# EOL option
# window scaling option, value nnn (or * or %nnn)
# maximum segment size option, value nnn (or * or %nnn)
# selective ACK OK
# timestamp
# timestamp with zero value
# unrecognized option number n.

Your kind help will be very much appreciated.

Best regards,

Thomas

On 26 November 2015 at 12:29, Thomas Tan <thomastan81 at gmail.com> wrote:

> Dear Jan,
>
> Many thanks for you reply. I am using tcp_option event. However, it seems
> to me that the event can't tell which TCP options are from the SYN packet
> of a connection and which ones are from other packets of the connection. I
> think I will look into the TCPRS-plugin.
>
> Best regards,
>
> Thomas
>
> On 26 November 2015 at 12:16, Jan Grashofer <jan.grashofer at cern.ch> wrote:
>
>> Hi Thomas,
>>
>>
>>
>> there is the tcp_option event, that might help you (see
>> https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html#id-tcp_option).
>> If that does not fit for you, you might have a look into the TCPRS-plugin (
>> https://github.com/bro/bro-plugins/tree/master/tcprs/scripts/Bro/TCPRS).
>> I have never used it but I think it also parses some TCP options and thus
>> might be a good starting point.
>>
>>
>>
>> Best regards,
>>
>> Jan
>>
>>
>> ------------------------------
>> *From:* bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Thomas
>> Tan [thomastan81 at gmail.com]
>> *Sent:* Thursday, November 26, 2015 10:18
>> *To:* bro at bro.org
>> *Subject:* [Bro] TCP options of a SYN packet
>>
>> Dear All,
>>
>> Just wondering if anyone knows a way (an event) to obtain TCP options of
>> a SYN packet?
>>
>> Your help will be very much appreciated.
>>
>> Thank you.
>>
>> Best regards,
>>
>> Thomas
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/9a854ac0/attachment.html

More information about the Bro mailing list