[Bro] Capturing the raw trace...

Tim Rupp tarupp at fnal.gov
Wed Oct 10 12:13:53 PDT 2007

Found it in tcpdump. Looks like it's not in the recent stable tarballs
though; I needed to compile from CVS.

Use the -G flag with an appropriate -w flag

for example, to create a new dump file every 10 seconds:

	tcpdump -G 10 -i eth0 -w "%Y-%m-%d_%H:%M:%S"

will create files that look like


Note that the time interval to -G isn't 100% accurate, but it's close

So LBL needs to push out 3.9 so that the world can rejoice in -G : )


Randolph Reitz wrote:
> OK, so I understand that to really debug BRO one needs tcpdump stuff
> rather than BRO's connection records.
> Discussing how to get a continuous supply of tcpdump stuff, Tim Rupp and
> I have come up this this idea ...
> ------------------------------------------------------------------------
> Before we go off and invent the above, I'm asking if this already
> exists?  Does BRO have some secret way of preserving the libpcap output
> (er, the BRO input)?
> Thanks,
> Randy

More information about the Bro mailing list