[Bro] Issue with small pcap files and -r
sconzo at visiblerisk.com
Mon Jan 7 15:48:38 PST 2013
When running bro in stand alone mode is there a size cutoff for it to
do anything with a pcap file?
In bro 2.0 and 2.1 if I run, on a small pcap (76k through 6mb):
bro -C -r ./input.pcap /usr/local/bro/share/bro/site/local.bro
it only creates
However, if I run the same commandline on a larger pcap 512mb it
produces more "normal" logs.
I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
and none of them have issues reading any of the small pcap files
(snort will also flag alerts where appropriate). There is app data
where expected in packet payloads and multiple setup/teardowns per
I skimmed through the trace file and didn't see anything that looked
like an error.
Am I missing something simple? Does this have implications with
running bro in production?
cat ~/.bash_history > documentation.txt
More information about the Bro