Hi,
I am new to bro so please forgive what I hope is a simple question with simple answer…
Running bro 2.5.5 on MacOS 10.12. I have a pcap file with traffic on port 5900. I’m trying to use contents.bro to write the payload of this conversation to a file so that I can process it later. I’m using something like
bro -r …/capture.pcap -f ‘tcp port 5900’ /usr/local/share/bro/base/protocols/conn/contents.bro
This results in the following connection log (sorry for the wrap) which tells me bro sees the traffic, but does not generate data files for port 5900:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2018-11-14-17-19-18
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1496000046.839399 C9iQbO1Y4veE4M2MDe 192.168.1.19 5900 192.168.1.14 50663 tcp - 184.468970 9195324 68250 OTH - - 0 DadAT 12266 9838046 8647 518684 (empty)
#close 2018-11-14-17-19-18
If I run without the BPF filter:
bro -r …/capture.pcap /usr/local/share/bro/base/protocols/conn/contents.bro
I get data files for other conversations with filenames that look like
contents_192.168.1.19:50560-192.168.1.8:62078_orig.dat
which contain content that I expect based on looking at pcap in wireshark, but nothing for the conversation on port 5900.
I know the data is there (shows up in wireshark) and I can run tcpflow and get data files for port 5900. So yes I realize there are other ways to do this, however, I’m trying to learn how to bro and so want to understand in a more generic sense why bro would not produce files for a given conversation in general and hope to learn by figuring out why it specifically does not generate anything for port 5900.
My actual use case has nothing to do with data on port 5900. I used this pcap file as an example to try out contents.bro, and was surprised/stumped as to why it would not generate a data file for port 5900 data. It might turn out that bro works just fine for my actual use case…but would still like to understand why it doesn’t work in this case.
The .bro scripts in my installation have not been modified. I made a copy of local.bro (called it something else) and have been playing with changes there, but in the above example I’m not using that…just the bro default settings and contents.bro.
Thanks in advance, Charlie