tcp delay events!?

Khaled_El_Dassouki · December 30, 2011, 3:13pm

Hello,
I am using Bro in my research work. My problem is that I am trying to write a Bro script that fires alarms based on TCP packet delays. I didn’t find any Bro event that could be handled at every received packet. I tried the tcp_packet and new_packet events but it seems that they are not fired at every received packet. Even I tried to write a signature that could be hit at every tcp packet but I found that unfortunately tcp signatures could be hit only once at the receiving of the first tcp packet.
Please help I am really tired…

Vern · December 31, 2011, 8:17pm

I tried the tcp_packet and new_packet events but it seems that
they are not fired at every received packet.

They pretty much should indeed be generated for every received packet,
other than corner-case exceptions such as bad packet headers, or fragments
(there are a number of these). What I suspect is happening is that
the traffic you're interested in isn't matching the packet-capture filter,
so it's not being looked at in the first place. The way to check this
is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.

Vern

Matthias_Vallentin1 · January 1, 2012, 12:43am

(there are a number of these)

When you're running from a trace, you may want to use -C to also
process packets with invalid checksums.

Matthias

Khaled_El_Dassouki · January 3, 2012, 11:56am

Hello,
Thank you for your quick feedback. It worked and my problem is solved.
Btw: I suspected my traces (I am using the MAWI traces) so I tried the new_packets and tcp_packets events on the ftp.traces used in your last workshop. The result was the same. However there is another thing that I would like to point to is when using the tcp_packet event handler. The event is fired two times at the same moment (network_time()) for the SYN and the SYN ACK message. Is it normal? I will manage to use during this stage the new_connection and the connection established events.
I will be using Bro for the rest of my phd (it is a great tool), my next step will be targeting VOIP and mainly SIP, is there any SIP analyser for Bro?
Thanks again,
Khaled.

Quoting Vern Paxson <vern@ICIR.org>:

robin · January 3, 2012, 9:44pm

There's an older prototype of a basic SIP analyzer but that never made
it into the release. I'll forward you an older mail with more details.

Robin

Vern · January 3, 2012, 10:09pm

However there is another thing that
I would like to point to is when using the tcp_packet event handler.
The event is fired two times at the same moment (network_time()) for
the SYN and the SYN ACK message. Is it normal?

For Bro 1.5, my guess is this is due to the default use of the "connection
compressor". Try running with "use_connection_compressor=F" on the command
line to turn it off.

Vern

Topic		Replies	Views
Questions About UDP Events in Bro Zeek	1	56	May 6, 2022
(Traffic characteristics extraction with Bro - Continue) Zeek	2	50	May 6, 2022
Bro performance issues Zeek	53	84	May 6, 2022
http_request event Zeek	4	58	May 6, 2022
Fragmentation and TCP overlapping Issues Zeek	9	78	May 6, 2022

tcp delay events!?

Related Topics