[Bro] Issue with small pcap files and -r

Mike Sconzo sconzo at visiblerisk.com
Mon Jan 7 15:48:38 PST 2013

When running bro in stand alone mode is there a size cutoff for it to
do anything with a pcap file?

In bro 2.0 and 2.1 if I run, on a small pcap (76k through 6mb):
bro -C -r ./input.pcap /usr/local/bro/share/bro/site/local.bro

it only creates

However, if I run the same commandline on a larger pcap 512mb it
produces more "normal" logs.

I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
and none of them have issues reading any of the small pcap files
(snort will also flag alerts where appropriate). There is app data
where expected in packet payloads and multiple setup/teardowns per

I skimmed through the trace file and didn't see anything that looked
like an error.

Am I missing something simple? Does this have implications with
running bro in production?


cat ~/.bash_history > documentation.txt

More information about the Bro mailing list