[Bro] Split PCAPs & Partial Connections

dn1nj4 dn1nj4 at gmail.com
Fri Jun 6 05:34:42 PDT 2014

Hello all,

I am batch processing some periodic PCAP files to extract SSL certificates. I noticed if I do bro -r file1, followed by bro -r file2, I end up with two ssl.log files totalling ~1500 lines. However, if I mergecap file1 & file2 and run bro -r merged, my ssl.log is ~7000 lines. 

After searching the list archive and current bro docs, I thought this might be a partial connection problem. So I tried a redef partial_connection_ok = T; but that did not seem to have any effect.

Any insights into how I might fix the discrepancy would be greatly appreciated.


