[Bro] TCP Conn Log
Johanna Amann
johanna at icir.org
Wed Apr 5 09:28:46 PDT 2017
Hi Mike,
I am currently not aware of any way to accomplish this without
modifications to the core. You can change the timeout that Bro uses for
TCP connections (the time after which its expires a connection, if it does
not see any packets) by changing tcp_inactivity_timeout; depending on your
specific application, maybe that might be good enough.
Johanna
On Mon, Apr 03, 2017 at 02:49:21PM +0200, mike anastasakis wrote:
> Hello,
>
> I am using Bro for a project and I have a question regarding it's
> capabilities.
> Currently when I have a long TCP connection that includes frequent TCP Keep
> Alive messages, bro is reassembling the whole network trace into one
> connection and presents it in conn.log with a big duration value. Is it
> possible to make bro split up TCP connections into smaller fragments based
> on a interval I set up or at least whenever a TCP Keep alive handshake
> takes place?
>
>
> Regards,
> Mike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list