[Bro] Offline/Tracefile Traffic Classification with Bro

Robin Sommer robin at icir.org
Mon Nov 3 10:33:18 PST 2008


On Thu, Oct 30, 2008 at 18:10 +0100, you wrote:

> I am hoping that with Bro mechanism, I can classify packets/flows
> easier with higher accuracy.

Bro cannot directly classify the connections *and* extract all of
their packets. You could use Bro to classify them first, and then
use some other tool to extract all relevant connections.

Perhaps NetDude might come in handy as well, see
http://netdude.sourceforge.net/plugins-libnetdude.html#appdemux and
perhaps http://netdude.sourceforge.net/plugins-libnetdude.html#demux

I'm sure one could also write a NetDude plugins which takes a list
of connections and then writes all packets belonging to one of them
into the output file. 

>> Another question, can Bro handle the compressed trace file by itself
>> or I always have to use zcat?  

You need to use zcat but that's usually not a problem.

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the Bro mailing list