[Bro] Bro on other Packet Trace Dumps.

Jonathan Paisley jp-www at dcs.gla.ac.uk
Mon Mar 28 02:09:29 PST 2005


On 28 Mar 2005, at 10:58, Dana Zhang wrote:

> I thought I was recreating the textual output that tcpdump would
> create. I don't understand why bro is telling me there is something
> wrong with my tcpdump imitation trace file.

This text output is _not_ what bro expects.

> What exactly should my packet trace file look like? I'm starting to
> get confused as to what bro accepts.

bro accepts only the tcpdump (aka pcap) _binary_ format.

Since you have a DAG format trace, you should just be able to use 
Endace's 'dagconvert' tool to convert to pcap format.

You'd do something like:

  $ dagconvert -T eth:pcap -i yourfile -o out.pcap
  $ bro ... -r out.pcap

I've assumed above that you've got legacy Ethernet file format. You may 
have ERF files from your dag capture, in which case you'd use '-T 
erf:pcap' in the dagconvert command line.

Here's the output from dagconvert -h:

$ dagconvert -h
dagconvert: DAG file conversion utility.
Usage: dagconvert [options]
     -d <device>            DAG device name
     -h                     display help (this page)
     -v                     increase verbosity
     -i <filename>          input file
     -o <filename>          output file
     -r N[k|m|g]            change output file after N Bytes.
                            k, m, g suffixes for kilobytes, megabytes, 
gigabytes.
     -s <snaplen>           output snap length
     -t <seconds>           capture period in seconds
     -T <in_type:out_type>  input and output types (see list of types 
below)
     -A <int>               output record alignment (ERF only)
     -V                     select variable length output (ERF only)
     -F                     select fixed length output (ERF only)
     -G                     specify GMT offset in seconds (pcap only)
     -c 0|16|32             specify number of bits in FCS checksum (pcap 
only)
     -f <list>              comma separated list of filters (see list of 
filters below)
     -b <BPF>               specify a BPF style filter

Supported types:
     dag    ERF direct from DAG device (input only)
     erf    ERF (extensible record format) file
     atm    legacy ATM file (input only)
     eth    legacy Ethernet file (input only)
     pos    legacy PoS file (input only)
     null   produces no input or output
     pcap   libpcap format file (output only)
     prt    ASCII text packet dump (output only)

Supported filters:
     rx       filter out rx errors (link layer)
     ds       filter out ds errors (framing)
     trunc    filter out truncated packets
     a,b,c,d  filter on indicated interface(s)

====

For reference, an extract from the pcap.h header file, which describes 
the file structure somewhat:

struct pcap_file_header {
         bpf_u_int32 magic;
         u_short version_major;
         u_short version_minor;
         bpf_int32 thiszone;     /* gmt to local correction */
         bpf_u_int32 sigfigs;    /* accuracy of timestamps */
         bpf_u_int32 snaplen;    /* max length saved portion of each pkt 
*/
         bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */
};

/*
  * Each packet in the dump file is prepended with this generic header.
  * This gets around the problem of different headers for different
  * packet interfaces.
  */
struct pcap_pkthdr {
         struct timeval ts;      /* time stamp */
         bpf_u_int32 caplen;     /* length of portion present */
         bpf_u_int32 len;        /* length this packet (off wire) */
};




More information about the Bro mailing list