[Bro] Offline/Tracefile Traffic Classification with Bro
Robin Sommer
robin at icir.org
Wed Oct 22 14:41:11 PDT 2008
On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:
> For instance, given a trace file A, and a specific protocol, say, SSH,
> what I have to do is generate another trace file which contains only
> SSH packets from the trace A.
> I do not need the SSH trace file automatically.
> But I need at least the 5-tuple of the SSH flows that reside in the
> trace A so that I can extract the SSH packets later.
Is this what you're looking for?
zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log
Or if you need just the packets, skip Bro alltogether.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list