[Bro] Capturing the raw trace...

Robin Sommer robin at icir.org
Wed Oct 10 12:22:52 PDT 2007

On Wed, Oct 10, 2007 at 13:27 -0500, you wrote:

> the -w log files every hour.  Humm, my Linux tcpdump 3.8 doesn't seem  
> to have a -G option.  Looks like I need tcpdump 3.9?

(Yes, I think it's a pretty recent addition.)

Running a tcpdump in parallel is certainly a good thing if you have
the resources for that. 

> Well, we need to manage the trace file.  When BRO is checkpointed  
> daily, will a new trace file be created?

You can use the mechanisms in rotate-logs.bro to rotate the trace
file with all the other logs by adding it to the aux_files set.
(When Bro rotates the files in aux_files, it will automagically do
the right pcap magic for the trace file.)


