[Bro] processing many files with bro
estrada.veronica at gmail.com
Thu Mar 11 03:01:47 PST 2010
Sorry, I couldn't make it work.
ipsumdump --collate -w *.pcap | $BROHOME/bin/bro -r - brolite mysite
/usr/local/bro-1.5-dep/bin/bro: problem with trace file - - truncated dump
file; tried to read 24 file header bytes, only got 0
On Thu, Mar 11, 2010 at 3:14 AM, Matthias Vallentin <vallentin at icir.org>wrote:
> On Wed, Mar 10, 2010 at 08:30:56AM -0800, Robin Sommer wrote:
> > That's probably the best solution and you can do it on the fly: have
> > your merge tool (e.g., tcpslice) write to stdout and Bro read from
> > stdin with "-r -". The effect on memory will indeed be that of one
> > large pcap file but if that causes trouble, you should to tweak the
> > Bro configuration.
> Yet another tool:
> % ipsumdump --collate -w - *.pcap | bro -r - http-request etc
> The switch --collate ensures monotone timestamps.
> Matthias Vallentin
> vallentin at icir.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro