[Bro] processing many files with bro

Vern Paxson vern at icir.org
Wed Mar 10 11:30:31 PST 2010


> Yet another tool:
> 
> % ipsumdump --collate -w - *.pcap | bro -r - http-request etc
> 
> The switch --collate ensures monotone timestamps.

Yeah, indeed that's a bit better than tcpslice, because ipsumdump will
correctly collate traces that overlap in time, while IIRC tcpslice won't.

		Vern



More information about the Bro mailing list