truncated packets

Laleh_Arshadi · August 7, 2013, 6:13pm

Dear All,

I know that Bro can analyze offline traffic with its -r option but I wonder if it can analyze the traffic contains truncated packets? I remember a few years ago when I run old versions of Bro on the MAWI traffic, it didn’t work properly since the packets were all truncated at 54 bytes. Maybe this has changed in the newer versions?

Regards
Laleh

Slagell_Adam_J · August 7, 2013, 6:29pm

You may try turning off the checksum verification.

Slagell_Adam_J · August 7, 2013, 6:30pm

See http://comments.gmane.org/gmane.comp.security.detection.bro/3168

Vlad_Grigorescu2 · August 7, 2013, 6:37pm

Disabling checksum verification won't help much. You'll end up getting protocol violations because the protocol truncates so quickly. 54 bytes really doesn't give you much to work with. I assume you're just interested in getting connection logs?

--Vlad

"The Bro list is public record anyway."

Laleh_Arshadi · August 7, 2013, 6:41pm

Disabling checksum verification won’t help much. You’ll end up getting protocol violations because the protocol truncates so quickly. 54 bytes really doesn’t give you much to work with. I assume you’re just interested in getting connection logs?

–Vlad

Yes… exactly. Is it possible to do so?

Laleh

Topic		Replies	Views
Bro trace files - packets truncated in some circumstances? Zeek	2	52	May 6, 2022
Applying Bro on offline captured traffic? Zeek	1	52	May 6, 2022
Applying Bro on offline captured traffic? Zeek	2	47	May 6, 2022
RE: Few questions... Zeek	1	52	May 6, 2022
http_request event Zeek	3	75	May 6, 2022

truncated packets

Related Topics