[Bro] processing many files with bro

Vern Paxson vern at icir.org
Wed Mar 10 11:30:31 PST 2010

> Yet another tool:
> % ipsumdump --collate -w - *.pcap | bro -r - http-request etc
> The switch --collate ensures monotone timestamps.

Yeah, indeed that's a bit better than tcpslice, because ipsumdump will
correctly collate traces that overlap in time, while IIRC tcpslice won't.


More information about the Bro mailing list