[Bro] processing many files with bro

Veronica Estrada estrada.veronica at gmail.com
Wed Mar 10 06:46:06 PST 2010


Hello,

I am processing several hours of captured traffic split into pcap files that
covers 1 minute traffic each. Actually I am having this basic script to do
that.

#!/bin/bash
path=("$@")
for f in $(ls $path);do
export BRO_LOG_SUFFIX=$f;
/usr/local/bro/bin/bro -r  $path/$f brolite mysite
done

But my goal is that bro recognize connections that could be split in several
files. I am thinking that one solution is to modified some variables and
make them "persistent". Is it correct? Which variables should I modified?

The other solution. I know that split pcap files can be merged in one bigger
file, but I will have problems with memory, and bro may crash if it has a
limitation for processing big size pcap file. So I am not considering this
option.

Best regards!

Veronica Estrada
Nakao Laboratory
The University of Tokyo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100310/5c811b8a/attachment.html 


More information about the Bro mailing list