[Bro] Offline/Tracefile Traffic Classification with Bro

Isara Anantavrasilp isara.a at gmail.com
Wed Oct 22 15:07:23 PDT 2008


thanks a lot for the answer.
That  is what I am looking for, but not entirely.

As far as I understand from the syntax, it pushes every packet that
has TCP port 22 into Bro.
Bro then summarizes the connections in the conn.log (using tcp policy).
And you are right, I want just the packets so that I can process later.

However, it might work with SSH, but the reason I need Bro here is
that some applications that I am interested in require payload
And even though it is SSH, I would like to be sure that it is actually
SSH (by analyzing the payload not just port number).

I just found out that with switch "-w <writefile>", Bro can output the packets.
If I use sth like

bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro,

would Bro return packets of all flows that match the policy in

Another question, can Bro handle the compressed trace file by itself
or I always have to use zcat?

Thank you very much!

-- Isara

On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer <robin at icir.org> wrote:
> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:
>> For instance, given a trace file A, and a specific protocol, say, SSH,
>> what I have to do is generate another trace file which contains only
>> SSH packets from the trace A.
>> I do not need the SSH trace file automatically.
>> But I need at least the 5-tuple of the SSH flows that reside in the
>> trace A so that I can extract the SSH packets later.
> Is this what you're looking for?
> zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log
> Or if you need just the packets, skip Bro alltogether.
> Robin
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list