Hi,
could you possibly point me towards which files or functions I should look at to get rid of these sanity checks? I know I’m not exactly using Bro for its proper use - I just need it to provide a ground truth for all flows inside of a trace. So far I’ve had no problems with full tcpdump traces, but if I could just find a way for it to handle partial tcpdump traces then it would suit my needs perfectly.
Thanks.
Daniel.
The one I found is this snippet in TCP.cc:
if ( len > 0 && (caplen >= len || packet_children.size()) &&
! flags.RST() && ! Skipping() )
need_contents = DeliverData(t, data, len, caplen, ip, tp,
endpoint, base_seq,
is_orig, flags);
The condition "caplen >= len" prevents Bro from passing the payload
on. However, just removing this still doesn't get the data to the
signature engine so there must be more such checks at other places
(to check whether the sig engine sees the data, you can configure
with --enable-debug and then run Bro with "-B rules"; that outputs
some debugging info into debug.log; your payload should show up in
there).
Robin