Thank you for your quick feedback. It worked and my problem is solved.
Btw: I suspected my traces (I am using the MAWI traces) so I tried the
new_packets and tcp_packets events on the ftp.traces used in your last
workshop. The result was the same. However there is another thing that
I would like to point to is when using the tcp_packet event handler.
The event is fired two times at the same moment (network_time()) for
the SYN and the SYN ACK message. Is it normal? I will manage to use
during this stage the new_connection and the connection established
I will be using Bro for the rest of my phd (it is a great tool), my
next step will be targeting VOIP and mainly SIP, is there any SIP
analyser for Bro?
Quoting Vern Paxson <vern(a)ICIR.org>rg>:
I tried the
tcp_packet and new_packet events but it seems that
they are not fired at every received packet.
They pretty much should indeed be generated for every received packet,
other than corner-case exceptions such as bad packet headers, or fragments
(there are a number of these). What I suspect is happening is that
the traffic you're interested in isn't matching the packet-capture filter,
so it's not being looked at in the first place. The way to check this
is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.