> I used the trace file from NLANR to test Bro.
But Bro does nothing
That's because those traces don't have any packet contents.
But the checksum function seems do not check the checksum of contents,
just the packet head.
What should I do , to make trace file available
You should first consider whether it will be useful to analyze them with
Bro, given a lack of contents.
I see the stepping.bro is using the ON/OFF algorithm, when report "time".
I have a novel way to detect connection pair! And I want to compare my
with the ON/OFF. :)
If so, then "redef ignore_checksums = T" will turn off the checksum tests.
Have nice day!
与联机的朋友进行交流，请使用 MSN Messenger: http://messenger.msn.com/cn