[Bro] Capturing the raw trace...

Randolph Reitz rreitz at fnal.gov
Wed Oct 10 11:27:27 PDT 2007


Doh! RTFM!  I actually spent some time *reading* the tcpdump man page  
(on tcpdump.org) and discovered that the '-G 3600' option will rotate  
the -w log files every hour.  Humm, my Linux tcpdump 3.8 doesn't seem  
to have a -G option.  Looks like I need tcpdump 3.9?

I will run tcpdump on a different system from BRO.  I happen to have  
two systems connected to the border traffic fire-hose.  I will be  
able to wait for BRO to trigger on a bogus outbound port scan and  
then go look for the raw dump file.  So far, BRO hasn't triggered on  
any bogus outbound port scans since I sent my original mail.  Humm,  
this must be a Heisenbug.

Thanks,
Randy
On Oct 10, 2007, at   12:12, Robin Sommer wrote:

>
> On Wed, Oct 10, 2007 at 10:53 -0500, Randolph Reitz wrote:
>
>> exists?  Does BRO have some secret way of preserving the libpcap
>> output (er, the BRO input)?
>
> Nice picture. :) But try the -w option first; it records all of
> Bro's input into a trace file.
Well, we need to manage the trace file.  When BRO is checkpointed  
daily, will a new trace file be created?
>
> Robin
>
> -- 
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list