Hello Again
I was trying to figure out the tcp/udp flag in conn.bro:record_connection from is_tcp_port and I got as far as bro.bif before I got lost. I was looking at the iana.org site and it looks like it's a pretty degenerate test, i.e., all the ports can be either. How does bro determine tcp vs udp?
thanks
Mike
Hello Again
I was trying to figure out the tcp/udp flag in conn.bro:record_connection
from is_tcp_port and I got as far as bro.bif before I got lost.
The functions listed in .bif files are Built-In Functions, i.e.,
functions implemented in the core. To find such a function's
implementation, go to the src directory, and find the corresponding .bif
file, in this case bro.bif, which shows:
function is_tcp_port%(p: portval%): bool
%{
return new Val(p->IsTCP(), TYPE_BOOL);
%}
Next you need to know that a portval in the policy is mapped to a
PortVal object in the core, so the implementation of PortVal::IsTCP() is
found in Val.cc.
I was
looking at the iana.org site and it looks like it's a pretty degenerate
test, i.e., all the ports can be either.
Yeah sure, both UDP and TCP can have ports 0-65535.
How does bro determine tcp vs udp?
From looking at the IP header of the sniffed packets, which tell Bro
what protocol is at the transport layer. Check NetSessions::DoNextPacket
around line 436 and Stevens' TCP/IP Illustrated Vol 1 for details.
Cheers,
Christian.