Can not dump the first packet?


Can I ask a question about Bro?

I want to dump the packets of certain connections to a pcap file. I used the function “dump_packets_of_connection” when the the event “connection_state_remove” happen.

But I found that the first packet (always the SYN packet) of the connection was missed in the pcap file.
And I tryed to dump all the packets to a file using the function “dump_current_packet” in the event “tcp_packet”. I found that the second packet of a connection was dumped twice but the first packet (the SYN packet) was missed.

It occured again when I print the data of the all the packets.

How can I get the first packet and dump it?


Owen Ma


This is due to the connection compressor. The compressor defers
instantiating connection state until it sees packets from both
sides, which is why it can't raise events such as tcp_packet()
immediately with the first packet (the event carries a connection
parameter). Not sure what the best fix for this is (if there's any
at all) but you can work around the problem by turning the
compressor off via "redef use_connection_compressor=F".