[Bro] Issue with small pcap files and -r
robin at icir.org
Mon Jan 7 16:25:09 PST 2013
On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote:
> When running bro in stand alone mode is there a size cutoff for it to
> do anything with a pcap file?
No, small traces should produce the expected output. We have indeed a
larger number of unit tests that rely on that; see, e.g.,
testing/btest/scripts/base/protocols/smtp/basic.test for one using a
rather small SMTP trace.
My best guess is that's indeed something with your trace. Try some of
the small traces in testing/btest/Traces and see what they give you.
> I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
One difference between these and Bro is that Bro tracks the TCP state;
if there's trouble with that, Bro might abort processing, even though
the other tools continue with their packet-based analysis. Do you get
a conn.log? That should show up in any case.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro