[Bro] Capturing the raw trace...
mcuttler at bnl.gov
Wed Oct 10 13:07:05 PDT 2007
Randolph Reitz wrote:
> OK, so I understand that to really debug BRO one needs tcpdump stuff
> rather than BRO's connection records.
> Discussing how to get a continuous supply of tcpdump stuff, Tim Rupp
> and I have come up this this idea ...
> Before we go off and invent the above, I'm asking if this already
> exists? Does BRO have some secret way of preserving the libpcap
> output (er, the BRO input)?
If you're looking to write pcaps out to disk, you can use something like
Time Machine (1), or Daemonlogger (2)
If you're interested, we can discuss off-list :)
More information about the Bro