[Bro] Get Packet Header for all packets
Jan Grashöfer
jan.grashoefer at gmail.com
Mon Nov 7 09:05:26 PST 2016
Hi Chen,
> Is there any other script I can use to capture the packet header no matter whether the destination is reachable or not?
in general you can use the raw_packet event (see
https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html?highlight=new_packet#id-raw_packet)
but that is very expensive.
> My design is to use bro to capture the src and dst IP from ARP/ICMP request/TCP request and then add rule to an openflow switch to make the destination reachable. Any ideas on this?
To avoid the raw_packet event, there are ARP and ICMP analyzers for Bro
you can use. While the ARP analyzer delivers src and dst IP, the ICMP
analyzer uses the origin/responder pattern creating "virtual
connections" by matching eg. echo request and echo reply. With Bro 2.5
(beta2 available) you will be able to retrieve the actual source and
destination IPs of the current packet using get_current_packet_header().
However, depending on the scenario you might just use origin and responder.
Best regards,
Jan
More information about the Bro
mailing list