[Bro] Bytes in conn.log is way to large
vern at icir.org
Fri Nov 2 15:09:54 PDT 2007
> To get rid of this issue, I tried use large-conns.bro, but it looks like
> that large-conns.bro has a problem when reading a trace from stdin.
Hmmm, indeed it does. It's because the secondary filter needs to reopen
the packet source, and in this case a second open of stdin gets in trouble
because both filters share the same kernel file descriptor.
It works if you instead use -r filename.
> Since my traces contain contain of several slices, I really do want to
> read from stdin.
Note, you can use "ipsumdump --collate -w whole-shebang.trace *.trace" to
glue together multiple pcap files into a single coherent trace.
More information about the Bro