I’m currently working on a Bro plugin.
The protocol I’ve been dealing with is strictly ACKs and PSH/ACKs (it’s transport protocol is TCP). The sequence of packets is ACK, PSH/ACK, ACK, PSH/ACK,… However, Bro from what I know needs a SYN, a FIN/ACK, or something like that to close the packet and look for a data section. Therefore, none of my data is being picked up, and the Application Level processing doesn’t even get started. Is there an easy way to have Bro close the packet after each ACK,PSH/ACK pair? Or would I have to just fiddle with TCP.cc until I get the desired results? Thanks!!!