[Bro] Offline/Tracefile Traffic Classification with Bro

Robin Sommer robin at icir.org
Wed Oct 22 14:41:11 PDT 2008


On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:

> For instance, given a trace file A, and a specific protocol, say, SSH,
> what I have to do is generate another trace file which contains only
> SSH packets from the trace A.
> I do not need the SSH trace file automatically.
> But I need at least the 5-tuple of the SSH flows that reside in the
> trace A so that I can extract the SSH packets later.

Is this what you're looking for?

zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log

Or if you need just the packets, skip Bro alltogether. 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list