[Bro] About Bro and splitting of the tcpdump trace
rpang at cs.princeton.edu
Mon Sep 26 10:04:59 PDT 2005
> I want to find a tool to split the captured trace (using tcpdump tool)
> into two parts: the normal sub-trace and the abnormal one which
> compising of network attacks detected, can the Bro do ? If not, any
> suggestion is perferred.
I can answer part of the question. Suppose you want to split a trace
into two sets of connections, A and B. If you can write a Bro policy
script to determine for each connection whether it belongs to A or B,
you can instruct Bro to write packets to an output trace on
connection-by-connection basis. The function to call is:
# Dump original packets on the connection up to this point to the
# output trace, if any.
function dump_packets_of_connection%(c: connection%): any
More information about the Bro