[Bro] Bro on other Packet Trace Dumps.
berry1.0 at gmail.com
Mon Mar 28 00:59:24 PST 2005
are you saying that when this is run:
>> bro -r dumpfile brolite
dumpfile is a binary file? I thought bro took a tcpdump file and
tcpdump outputs files in the format of :
src > dst: flags data-seqno ack window urgent options
my packets were captured using a DAG2 system. traces are in DAG
format, which is a fixed 64 bytes record format with 40 bytes of IP
header. I extracted from my binary to make it look like a tcpdump
On Mon, 28 Mar 2005 10:49:01 +0200, Christoph Göldi <goeldich at ee.ethz.ch> wrote:
> hi dana
> tcpdump is also a binary format.
> how did you catch your dump?
> i mean when you catch it with tcpdump you get exactly what you described:
> packet headers in binary.
> --On Montag, 28. März 2005 18:35 +1000 Dana Zhang <berry1.0 at gmail.com>
> > hi Chris,
> >> i'm not sure, but i think that tcpdump is the only format at the moment
> >> which can be read by bro.
> >> what format do you have? maybe there is a converter around...
> > The current format of my data is just packet headers in binary. I
> > tried to convert to tcpdump format myself. can I confirm that tcpdump
> > format for tcp commections is:
> > src > dst: flags data-seqno ack window urgent options
> > i'm only working with tcp packets.
> > a couple of examples of my packets are as follows
> > 10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442
> > win 8623 10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack
> > 20496183 win 8474 10.0.0.67.4945 > 10.0.0.66.80: S
> > 2222637079:2222637079(0) win 32696 urg 0 10.0.0.11.26159 > 10.0.0.12.25:
> > . 868560419:868561879(1460) ack
> > 1691568355 win 61320
> > However, when I run this file with bro using
> >> bro -r dumpfile brolite
> > I receive the error problem with trace file dumpfile - bad dump file
> > format.
> > Is there something I missed?
> > Cheers,
> > Dana
More information about the Bro