summary of changes for packet engine. These provide for jumbo
frames, vlan encapsulation and udp port scan detection.
FYI:
Quick notes on changes to make stock bro -> nersc bro. These
do not
reflect the script changes than need to happen.
Changes are in red.
1) PktSrc.cc
int snaplen = 9216;
void PktSrc::SetHdrSize()
{
int dl = pcap_datalink(pd);
switch ( dl ) {
case DLT_NULL:
hdr_size = 4;
break;
case DLT_EN10MB:
//hdr_size = 14;
hdr_size = 18;
break;
case DLT_FDDI:
hdr_size = 13 + 8; // fddi_header + LLC
break;
default:
sprintf(errbuf, "unknown data link type 0x%x", dl);
Close();
}
datalink = dl;
}
2) UDP.cc
int UDP_Connection::Request(double /* t */,
const u_char* /* data */, int /* len */)
{
Event(udp_request);
// for scan detection
if ( udp_scan_detect )
Event(connection_attempt);
return 1;
}
int UDP_Connection::Reply(double /* t */,
const u_char* /* data */, int /* len */)
{
Event(udp_reply);
// for scan detection
if ( udp_scan_detect )
Event(connection_established);
return 1;
}
3) NetVar.cc/h
cc:
int udp_scan_detect;
udp_scan_detect = opt_internal_int("udp_scan_detect");
h:
extern int udp_scan_detect;