[Bro] Capturing the raw trace...
Randolph Reitz
rreitz at fnal.gov
Wed Oct 10 11:27:27 PDT 2007
Doh! RTFM! I actually spent some time *reading* the tcpdump man page
(on tcpdump.org) and discovered that the '-G 3600' option will rotate
the -w log files every hour. Humm, my Linux tcpdump 3.8 doesn't seem
to have a -G option. Looks like I need tcpdump 3.9?
I will run tcpdump on a different system from BRO. I happen to have
two systems connected to the border traffic fire-hose. I will be
able to wait for BRO to trigger on a bogus outbound port scan and
then go look for the raw dump file. So far, BRO hasn't triggered on
any bogus outbound port scans since I sent my original mail. Humm,
this must be a Heisenbug.
Thanks,
Randy
On Oct 10, 2007, at 12:12, Robin Sommer wrote:
>
> On Wed, Oct 10, 2007 at 10:53 -0500, Randolph Reitz wrote:
>
>> exists? Does BRO have some secret way of preserving the libpcap
>> output (er, the BRO input)?
>
> Nice picture. :) But try the -w option first; it records all of
> Bro's input into a trace file.
Well, we need to manage the trace file. When BRO is checkpointed
daily, will a new trace file be created?
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list