[Bro] ip_bytes and pkts not set in conn.log for cropped UDP packets
david at woist.net
david at woist.net
Tue Oct 11 23:25:18 PDT 2016
Hi all,
We use bro-2.4.1 to analyze pcap traces with cropped payload.
This works fine for TCP and ICMP packets, however orig_pkts,
orig_ip_bytes, resp_pkts and resp_ip_bytes are all set to "0" in
conn.log for the connections with cropped UDP packets (such as DNS
packets with a snaplen of 42).
That is, we end up with a conn.log entry stating that no packets were
observed for the corresponding connection.
I assume this is because no application analyzer is started.
How can we still get these fields updated?
(-C does not help and orig_bytes as well as resp_bytes are set
correctly, also I noted that the event udp_contents is triggered for
the packets).
Many thanks!
David
More information about the Bro
mailing list