[Bro] Issue with small pcap files and -r

Mike Sconzo sconzo at visiblerisk.com
Mon Jan 7 18:06:55 PST 2013

There are 3-way handshakes and no conn log is produced. The pcaps used
for the tests worked correctly when I tried them.

However, the pcaps I'm testing on have a GRE tunnel in them. After
digging around a bit more it seems like this might be the issue. I
didn't look close enough in wireshark, and the rest of the tools do
the decapsulation before showing results

Thanks for the quick response.


On Mon, Jan 7, 2013 at 6:25 PM, Robin Sommer <robin at icir.org> wrote:
> On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote:
>> When running bro in stand alone mode is there a size cutoff for it to
>> do anything with a pcap file?
> No, small traces should produce the expected output. We have indeed a
> larger number of unit tests that rely on that; see, e.g.,
> testing/btest/scripts/base/protocols/smtp/basic.test for one using a
> rather small SMTP trace.
> My best guess is that's indeed something with your trace. Try some of
> the small traces in testing/btest/Traces and see what they give you.
>> I've looked through the pcaps in snort, wireshark, tcpdump, and tshark
> One difference between these and Bro is that Bro tracks the TCP state;
> if there's trouble with that, Bro might abort processing, even though
> the other tools continue with their packet-based analysis. Do you get
> a conn.log? That should show up in any case.
> Robin
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

cat ~/.bash_history > documentation.txt

More information about the Bro mailing list