[Bro] Capturing the raw trace...
robin at icir.org
Wed Oct 10 12:22:52 PDT 2007
On Wed, Oct 10, 2007 at 13:27 -0500, you wrote:
> the -w log files every hour. Humm, my Linux tcpdump 3.8 doesn't seem
> to have a -G option. Looks like I need tcpdump 3.9?
(Yes, I think it's a pretty recent addition.)
Running a tcpdump in parallel is certainly a good thing if you have
the resources for that.
> Well, we need to manage the trace file. When BRO is checkpointed
> daily, will a new trace file be created?
You can use the mechanisms in rotate-logs.bro to rotate the trace
file with all the other logs by adding it to the aux_files set.
(When Bro rotates the files in aux_files, it will automagically do
the right pcap magic for the trace file.)
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro