Hello,
I want to extract the IP identification field from the tcpdump file. I have extracted header information from the packet in the tcpdump file using conn.bro script. But IP identification field has not been extracted. Is there any script available to extract the IP identification field. I am using BRO IDS 1.5.3. Please, help me in this regard. Thanks in advance.
Hello,
I want to extract the IP identification field from the tcpdump file. I have
extracted header information from the packet in the tcpdump file using
conn.bro script. But IP identification field has not been extracted. Is
there any script available to extract the IP identification field. I am
using BRO IDS 1.5.3. Please, help me in this regard. Thanks in advance.
Assuming you mean the 16 bit id value in the IP header. All i could
come up with is via event new_packet.
global new_packet: event(c: connection, p: pkt_hdr);
pkt_hdr$ip$id
Handling new_packet is a costly event in terms of performance. I am
curious, if you don't mind, why you are tracking the ID values. Seems
like a lot to keep track of and print out.
Sridhar
For this task you might want to consider using IPSumdump
http://www.cs.ucla.edu/~kohler/ipsumdump/
Which is much faster for getting IP header level information from a TCPdump file than bro.
Hello,
extractfeature.bro (74.1 KB)
I want to extract the IP identification field from tcpdump dataset. I have
attached the script which I have got.
It's unreasonable to expect us to look through an 1,800 line script for a
problem like this. You really should trim it down to the simplest script
that expresses the problem you're encountering.
That said, I'll note that the only references to $ip_hdr$id (or even $ip_hdr)
are commented-out, so certainly aren't going to work!
Vern