find-filtered-trace could be a bit smarter

Description

I fed Bro a pcap filtered to port 53 traffic. It had a bunch of UDP activity, but the TCP activity was just scans. This led to "The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. being generated - misleading in this context. In particular, the trace doesn't contain only TCP control packets; rather, of the TCP packets it contained, those were only control packets.

Seems the script could be smarter and if it sees UDP w/ payload, then not warn.

Environment

N/A - problem occurs reading pcaps

Assignee

Unassigned

Reporter

Vern Paxson

Labels

None

External issue ID

None

Components

Affects versions

Priority

Low
Configure