./bro -f "(tcp and ((tcp[13] & 0x7 != 0) or (tcp[13] & 0x10 == 1)) ) or udp or
The second test you give, for capturing ACK packets, is incorrect.
It needs to be
(tcp[13] & 0x10 == 0x10)
- Vern
Hi Vern,
Thank you for your reply. I corrected this filter expression and run Bro,
but I got the same result. I can see these spoofed source IP packets with
Ethereal. All of them target the same host but with different destination
ports. The TCP flag of these packets is 0x0010 (ack). I found no single log
record was for such packets. Am I missing anything?
By the way, I am using the DARPA 2000 data set (Scenario one, inside
tcpdump file). This is the link for this data:
http://www.ll.mit.edu/IST/ideval/data/2000/LLS_DDOS_1.0.html
thank you for your time.
Bing
Quoting Vern Paxson <vern@icir.org>: