[Bro] tcpdump -w

Christian Kreibich christian at whoop.org
Thu Jun 16 11:15:26 PDT 2005


On Thu, 2005-06-16 at 11:35 -0300, Angelita de Cássia Corrêa wrote:
> Thanks, I put the two lines in .bash_profile:
> export BROHOME=/usr/local/bro
> export BROPATH=/usr/local/bro/policy:/usr/local/bro/site
> 
> Now, when I run this command to test:   /usr/local/bro/bin/bro -r
> /home/angelita/test.trace scan
> 
> I received this message: /usr/local/bro/bin/bro: problem with trace file
> /home/angelita/test.trace - fread: Inappropriate ioctl for device

I believe that's a pcap error message passed to Bro, and I seem to
recall seeing that error message when the trace file you're passing is
empty. Could that be possible? In any case, you want that file to be a
pcap trace file, typically generated using tcpdump -w.

  http://mailman.icsi.berkeley.edu/pipermail/bro/2004-July/001545.html

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org






More information about the Bro mailing list