[Bro] Capturing events

David Vasil dmvasil at ornl.gov
Thu Feb 2 08:03:27 PST 2006

I noticed the capture-events.bro policy and loaded it; it has been 
generating an events.bst file in my logs directory with data inside of 
it.  My question is:  what can I get out of this file?  Is this just a 
raw packet capture of anything that is flagged by a policy?

Also, I tried replaying the file using bro -R events.bst and it appears 
to be waiting for standard input.  When I try and specify a policy to 
use on the command line it errors with:

[root at endace bro]# bin/bro -R /scratch/bro/logs/events.bst http
./site, line 1: error: read failed with "Is a directory"

I searched through the documentation and saw no reference to 'replay' 
'events.bst' or even '.bst'.

Also, where can I get the start-capture-all script?  Is this just a 
wrapper around tcpdump; or does it grab the data before/after bro looks 
at the stream?  Unfortunately with the DAG capture cards I am testing 
with, only one application can read from the device at a single time. 
Any suggestions?  Thanks!

| David Vasil <dmvasil at ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-A115  Phone: (865)241-5562

More information about the Bro mailing list