[Bro] Get Packet Header for all packets

[Xu Chen]

I use tcpdump on the bro interface. The interface gets APR packets since the destination is unreachable. But these packets can’t not be captured by bro (because the connection is not established) so that bro will not return the src/dst IP of the packets. 

My design is to use bro to capture the src and dst IP from ARP/ICMP request/TCP request and then add rule to an openflow switch to make the destination reachable. Any ideas on this?

Chen 

> On Nov 7, 2016, at 11:02 AM, erik clark <philosnef at gmail.com> wrote:
> 
> I am not sure thats accurate. I was recently troubleshooting a situation where a printer was sending millions of packets an hour at a remote host. On the remote destination host, that traffic was never seen, yet bro logged it just fine. This was confirmed by running tcpdump in the middle (off the tap) and on the end point (the destination). Tcpdump on the destination showed zero packets coming from the source....