[Bro] "conn" field not present in connection
Daniel Thayer
dnthayer at illinois.edu
Thu Jun 1 17:40:36 PDT 2017
On 6/1/17 5:16 PM, Ren, Wenyu wrote:
> Hi Everyone,
>
> I have a problem using the "conn" field in the connection record. The reference states that "conn" should exist if "base/protocols/conn/main.bro" is loaded. I have it loaded and the "conn.log" is generated. However, the "conn" field is not there. I got the connection record from the new_packet event. Anyone have any idea? Thanks a lot.
>
> Best,
> Wenyu
The documentation states that the "conn" field exists if
base/protocols/conn/main.bro is loaded. Since the "conn" field has
the "&optional" attribute, it is not required to have a value.
At the time that the new_packet event is handled, not all of the
necessary information has been gathered, so the "conn" field
doesn't have a value yet. If you try checking in a subsequent event,
such as connection_state_remove, then you should be able to see a value
assigned to the "conn" field (and if you look at the
base/protocols/conn/main.bro script, you can see where it assigns a
value to the
conn field).
More information about the Bro
mailing list