[Bro] Offline/Tracefile Traffic Classification with Bro
isara.a at gmail.com
Thu Oct 30 10:10:48 PDT 2008
Thanks for the advice and sorry for the late reply.
I have looked into wireshark even before Bro.
The problem that I have is that I have to classify the flows in
several extra-large traces.
And it cannot be done without some automated tools.
Up to now I have written a simple classifier based on libtrace but I
am not sure if my own signatures (as well as the algorithm) are valid.
And since Bro is designed to do the classification and it already has
I am hoping that with Bro mechanism, I can classify packets/flows
easier with higher accuracy.
On Thu, Oct 23, 2008 at 6:23 AM, rmkml <rmkml at free.fr> wrote:
> Hi Isara,
> maybe check with ngrep or wireshark, this last support pcap compressed
> file+heuristic/filter dissectors...
> On Thu, 23 Oct 2008, Isara Anantavrasilp wrote:
>> Date: Thu, 23 Oct 2008 00:07:23 +0200
>> From: Isara Anantavrasilp <isara.a at gmail.com>
>> To: Robin Sommer <robin at icir.org>
>> Cc: bro at ICSI.Berkeley.EDU
>> Subject: Re: [Bro] Offline/Tracefile Traffic Classification with Bro
>> thanks a lot for the answer.
>> That is what I am looking for, but not entirely.
>> As far as I understand from the syntax, it pushes every packet that
>> has TCP port 22 into Bro.
>> Bro then summarizes the connections in the conn.log (using tcp policy).
>> And you are right, I want just the packets so that I can process later.
>> However, it might work with SSH, but the reason I need Bro here is
>> that some applications that I am interested in require payload
>> And even though it is SSH, I would like to be sure that it is actually
>> SSH (by analyzing the payload not just port number).
>> I just found out that with switch "-w <writefile>", Bro can output the
>> If I use sth like
>> bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro,
>> would Bro return packets of all flows that match the policy in
>> Another question, can Bro handle the compressed trace file by itself
>> or I always have to use zcat?
>> Thank you very much!
>> -- Isara
>> On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer <robin at icir.org> wrote:
>>> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:
>>>> For instance, given a trace file A, and a specific protocol, say, SSH,
>>>> what I have to do is generate another trace file which contains only
>>>> SSH packets from the trace A.
>>>> I do not need the SSH trace file automatically.
>>>> But I need at least the 5-tuple of the SSH flows that reside in the
>>>> trace A so that I can extract the SSH packets later.
>>> Is this what you're looking for?
>>> zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log
>>> Or if you need just the packets, skip Bro alltogether.
>>> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
>>> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>> Bro mailing list
>> bro at bro-ids.org
More information about the Bro