Hi Scott,
Thank you for your reply. Bro didn't work without filter expression. this is
why I tried to use this filter expression. conn and weird analyzers did
generated some log records, but none of them captured the packets
having random source IP addresses. Weird analyzer recorded some "weird"
connections having good syn, ack and fin flags.
This traffic data is actually the DAPAR 2000 data set of MIT LL. I believe
it was captured from a real Lan. I doubt that Bro, in default setting, doesn't
record connection information if it did see SYN packets. The problem is how to
change this default setting.
thanks again
Bing