I am not sure thats accurate. I was recently troubleshooting a situation where a printer was sending millions of packets an hour at a remote host. On the remote destination host, that traffic was never seen, yet bro logged it just fine. This was confirmed by running tcpdump in the middle (off the tap) and on the end point (the destination). Tcpdump on the destination showed zero packets coming from the source…
I use tcpdump on the bro interface. The interface gets APR packets since the destination is unreachable. But these packets can’t not be captured by bro (because the connection is not established) so that bro will not return the src/dst IP of the packets.
My design is to use bro to capture the src and dst IP from ARP/ICMP request/TCP request and then add rule to an openflow switch to make the destination reachable. Any ideas on this?
Chen
Hi Chen,
Is there any other script I can use to capture the packet header no matter whether the destination is reachable or not?
in general you can use the raw_packet event (see
https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html?highlight=new_packet#id-raw_packet)
but that is very expensive.
My design is to use bro to capture the src and dst IP from ARP/ICMP request/TCP request and then add rule to an openflow switch to make the destination reachable. Any ideas on this?
To avoid the raw_packet event, there are ARP and ICMP analyzers for Bro
you can use. While the ARP analyzer delivers src and dst IP, the ICMP
analyzer uses the origin/responder pattern creating "virtual
connections" by matching eg. echo request and echo reply. With Bro 2.5
(beta2 available) you will be able to retrieve the actual source and
destination IPs of the current packet using get_current_packet_header().
However, depending on the scenario you might just use origin and responder.
Best regards,
Jan