> Can Bro capture SIP and RTP traffic irrespective of
> port the streams they use?
No. For one, Bro doesn't have RTP or SIP analyzers. In addition, it
doesn't have the capability to analyze applications that are not running
on known ports, though addressing this is on the to-do list and I believe
some students are gearing up to tackle it.
Vern
Can Bro capture SIP and RTP traffic irrespective of
port the streams they use?
If it captures does bro provides analyzers on these
traffic so that I can write scripts containing
different fields in the RTP Header?
Thanks
-Raghu
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250
hi
i want to test the ressource consumption of bro (cpu and memory),
but i have only tcpdump files with high traffic amounts.
is there a possibility to run bro with the -r option and that
it goes through the traffic in the tcpdump files according to
the timestamps.
to make it clear: i want to simulate the real ressource usage
how it would occur with the traffic in the tcpdump file.
thanx for any help
cheers
christoph
Hi everybody,
I've been using Bro on my computer on different purposes for a few
months and till now, it always worked well ;-)
Unfortunately, I'm experiencing a problem for a few days.
In fact, when running Bro (with http.bro script) on some other
computers, I have series of "bad_tcp_checksum" (with Linux) or
"bad_ip_checksum" (with FreeBSD), and only a few packets seems to be
read correctly.
To sum up, here is the current situation :
->Bro still works on my computer (Linux Debian, Kernel 2.4.26 - Bro 0.8a87)
->I have "bad_tcp_checksum" or "bad_ip_checksum" in these (tested) cases
(on 3 other computers) :
1.Bro 0.8a87, 0.8a88, 0.9a7 on Linux Debian Kernel 2.6.8 and 2.4.26,
installed with the same mirrors (same versions of libpcap in particular)
2.Bro 0.8a37 (package) on FreeBSD 5.3
(Experiments were done on an operational network, but also directly
between two computers with a crossover cable)
If it can be of interest (I don't really know why, but...), my computer
has an
AMD PCnet32 ethernet controller. Bad checksums where obtained with Intel
and
Broadcom controllers.
Hum... Any ideas are welcome... ;-)
Thanks by advance,
Yohann.
> One way is through event tcp_packet:
> ...
> But please note that it requires a per-TCP-packet event and thus only
> works for low volume traffic.
Yes. And, more generally, this sort of low-level analysis is not what Bro
is designed for. If all you want to do is count URG packets, a simple
tcpdump filter is much more efficient.
Vern