Hello!
Can I ask a question about Bro?
I want to dump the packets of certain connections to a pcap file. I used the function “dump_packets_of_connection” when the the event “connection_state_remove” happen.
But I found that the first packet (always the SYN packet) of the connection was missed in the pcap file.
And I tryed to dump all the packets to a file using the function “dump_current_packet” in the event “tcp_packet”. I found that the second packet of a connection was dumped twice but the first packet (the SYN packet) was missed.
It occured again when I print the data of the all the packets.
How can I get the first packet and dump it?
Thanks!
Owen Ma
08.01.13