Hello,
I’m writing a bro script to output TCP payload of first ack from client (is_orig = True),
I’m currently using tcp_packet event, check the ack flag and payload length as well as if it is the first ack. I’m wondering if there is a cheaper way to achieve this, since tcp_packet is pretty expensive.
I cannot use connection_first_ACK event because it does not give me the actual TCP payload.
I cannot use ssl_client_hello because i want to handle not only ssl.
Does anyone have suggestions? Thanks for the help!