diff --git a/doc/faq.rst b/doc/faq.rst index 510d03c5af..6ddef4d8ea 100644 --- a/doc/faq.rst +++ b/doc/faq.rst @@ -59,34 +59,30 @@ Usage How can I identify backscatter? ------------------------------- -Identifying backscatter via connections labeled as ``OTH`` is not -a reliable means to detect backscatter. Use rather the following -procedure: - -* Enable connection history via ``redef record_state_history=T`` to - track all control/data packet types in connection logs. - -* Backscatter is now visible in terms of connections that never had an - initial ``SYN`` but started instead with a ``SYN-ACK`` or ``RST`` - (though this latter generally is just discarded). +Identifying backscatter via connections labeled as ``OTH`` is not a reliable +means to detect backscatter. Backscatter is however visible by interpreting +the contents of the ``history`` field in the ``conn.log`` file. The basic idea +is to watch for connections that never had an initial ``SYN`` but started +instead with a ``SYN-ACK`` or ``RST`` (though this latter generally is just +discarded). Here are some history fields which provide backscatter examples: +``hAFf``, ``r``. Refer to the conn protocol analysis scripts to interpret the +individual character meanings in the history field. Is there help for understanding Bro's resource consumption? ----------------------------------------------------------- There are two scripts that collect statistics on resource usage: -``stats.bro`` and ``profiling.bro``. The former is quite lightweight, -while the latter should only be used for debugging. Furthermore, -there's also ``print-globals.bro``, which prints the size of all -global script variable at termination. +``misc/stats.bro`` and ``misc/profiling.bro``. The former is quite +lightweight, while the latter should only be used for debugging. How can I capture packets as an unprivileged user? -------------------------------------------------- -Normally, unprivileged users cannot capture packets from a network -interface, which means they would not be able to use Bro to read/analyze -live traffic. However, there are ways to enable packet capture -permission for non-root users, which is worth doing in the context of -using Bro to monitor live traffic +Normally, unprivileged users cannot capture packets from a network interface, +which means they would not be able to use Bro to read/analyze live traffic. +However, there are operating system specific ways to enable packet capture +permission for non-root users, which is worth doing in the context of using +Bro to monitor live traffic. With Linux Capabilities ^^^^^^^^^^^^^^^^^^^^^^^