[Bro] Offline/Tracefile Traffic Classification with Bro
isara.a at gmail.com
Wed Oct 22 15:07:23 PDT 2008
thanks a lot for the answer.
That is what I am looking for, but not entirely.
As far as I understand from the syntax, it pushes every packet that
has TCP port 22 into Bro.
Bro then summarizes the connections in the conn.log (using tcp policy).
And you are right, I want just the packets so that I can process later.
However, it might work with SSH, but the reason I need Bro here is
that some applications that I am interested in require payload
And even though it is SSH, I would like to be sure that it is actually
SSH (by analyzing the payload not just port number).
I just found out that with switch "-w <writefile>", Bro can output the packets.
If I use sth like
bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro,
would Bro return packets of all flows that match the policy in
Another question, can Bro handle the compressed trace file by itself
or I always have to use zcat?
Thank you very much!
On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer <robin at icir.org> wrote:
> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:
>> For instance, given a trace file A, and a specific protocol, say, SSH,
>> what I have to do is generate another trace file which contains only
>> SSH packets from the trace A.
>> I do not need the SSH trace file automatically.
>> But I need at least the 5-tuple of the SSH flows that reside in the
>> trace A so that I can extract the SSH packets later.
> Is this what you're looking for?
> zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log
> Or if you need just the packets, skip Bro alltogether.
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro