[Bro] Bro as a fancy pcap filter

Christian Kreibich christian at whoop.org
Mon Nov 21 17:48:09 PST 2005


I just bumped into a situation where I wanted to tell Bro to record
packets to an output pcap file, but do so only under certain
circumstances. In my case this essentially boiled down to "only the
first packet in a 5-tuple TCP/UDP flow that carries app-layer data", but
let's imagine any decision that depends on policy- or in-core state.

I got it to work by hacking around in the core, but it wasn't pretty.
Does Bro have a mechanism for doing this nicely? In the rewriter
framework, maybe (is that documented anywhere btw)? Thanks!


