[Bro] Issue with small pcap files and -r

Robin Sommer robin at icir.org
Mon Jan 7 16:25:09 PST 2013

On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote:

> When running bro in stand alone mode is there a size cutoff for it to
> do anything with a pcap file?

No, small traces should produce the expected output. We have indeed a
larger number of unit tests that rely on that; see, e.g.,
testing/btest/scripts/base/protocols/smtp/basic.test for one using a
rather small SMTP trace.

My best guess is that's indeed something with your trace. Try some of
the small traces in testing/btest/Traces and see what they give you.

> I've looked through the pcaps in snort, wireshark, tcpdump, and tshark

One difference between these and Bro is that Bro tracks the TCP state;
if there's trouble with that, Bro might abort processing, even though
the other tools continue with their packet-based analysis. Do you get
a conn.log? That should show up in any case.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list