Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

A few updates for the FAQ.

Browse source
This commit is contained in:
Seth Hall 2012-01-10 11:25:53 -05:00
parent 4de670a10e
commit 4232e67db3
1 changed files with 15 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

34
doc/faq.rst
View file

@ -59,34 +59,30 @@ Usage
How can I identify backscatter? How can I identify backscatter?
------------------------------- -------------------------------
Identifying backscatter via connections labeled as ``OTH`` is not Identifying backscatter via connections labeled as ``OTH`` is not a reliable
a reliable means to detect backscatter. Use rather the following means to detect backscatter. Backscatter is however visible by interpreting
procedure: the contents of the ``history`` field in the ``conn.log`` file. The basic idea
is to watch for connections that never had an initial ``SYN`` but started
* Enable connection history via ``redef record_state_history=T`` to instead with a ``SYN-ACK`` or ``RST`` (though this latter generally is just
track all control/data packet types in connection logs. discarded). Here are some history fields which provide backscatter examples:
``hAFf``, ``r``. Refer to the conn protocol analysis scripts to interpret the
* Backscatter is now visible in terms of connections that never had an individual character meanings in the history field.
initial ``SYN`` but started instead with a ``SYN-ACK`` or ``RST``
(though this latter generally is just discarded).
Is there help for understanding Bro's resource consumption? Is there help for understanding Bro's resource consumption?
----------------------------------------------------------- -----------------------------------------------------------
There are two scripts that collect statistics on resource usage: There are two scripts that collect statistics on resource usage:
``stats.bro`` and ``profiling.bro``. The former is quite lightweight, ``misc/stats.bro`` and ``misc/profiling.bro``. The former is quite
while the latter should only be used for debugging. Furthermore, lightweight, while the latter should only be used for debugging.
there's also ``print-globals.bro``, which prints the size of all
global script variable at termination.
How can I capture packets as an unprivileged user? How can I capture packets as an unprivileged user?
-------------------------------------------------- --------------------------------------------------
Normally, unprivileged users cannot capture packets from a network Normally, unprivileged users cannot capture packets from a network interface,
interface, which means they would not be able to use Bro to read/analyze which means they would not be able to use Bro to read/analyze live traffic.
live traffic. However, there are ways to enable packet capture However, there are operating system specific ways to enable packet capture
permission for non-root users, which is worth doing in the context of permission for non-root users, which is worth doing in the context of using
using Bro to monitor live traffic Bro to monitor live traffic.
With Linux Capabilities With Linux Capabilities
^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^