tcp contents

In short, this is what I'm trying to do: I want to selectively save the payload/contents of a TCP stream to a file just based on the protocol/port number. Note: I can currently do this using 2 different approaches but I'm looking for the "right" way.

a - (this approach works but I modified the source code) The small TCP_TransactionConnection class below in conjunction with a simple policy script does appear to successfully save the TCP contents for POP3, SMTP and HTTP. (Yes trivial code changes were made to substitute the TCP_TransactionConnection for SMTP_Conn and HTTP_Conn in ) The simple policy script filters on the desired ports and assigns a contents file each time a tcp connection is created.

b. - (this approach also works but it is not as efficient as above) I was able to save the HTTP and SMTP data by just creating empty event handlers for ("event smtp_data" and "event http_reply") in conjunction with the identical policy script used above. This is less efficient than the first approach because of all the processing done by the HTTP_Conn and SMTP_Conn classes which would not be utilized by this prototype/application.

c. (this approach may have potential but it doesn't look like it can work in the current code) There is a TCP_ConnectionContents class that gets instantiated if a "new_connection_contents" policy handler exists (in but it doesn't look it can limit itself to a certain number of protocols/ports. In addition, it doesn't look like the code there was fully implemented in the BuildEndPoints method for the TCP_ConnectionContents class (the TCP_CONTENTS_BOTH case is missing).

Bottom line. Since I'm not that familiar with the source code how does this feature/goal fit into the overall design of bro and is there already a way to accomplish it? Determining if this feature is of value is probably the first question.

Thanks again for your help and your time. If anything is unclear please let me know.