[Bro] Split PCAPs & Partial Connections
dn1nj4 at gmail.com
Mon Jun 9 03:00:37 PDT 2014
I ran mergecap -w merged.cap file1 file2. When run with -a, merged.cap is
the same file size, but bro results in only 700 log lines in ssl.log. The
two PCAP files are an overlapping timeframe. Traffic is split across
both. Yes, the merged file size is approximately the same as the sum of
the individual files.
On Mon, Jun 9, 2014 at 5:17 AM, Shane Castle <shane.castle at gmail.com> wrote:
> A few questions arise:
> How did you run mergecap? Does the behavior change if you run it using
> -a? Do the two pcap files immediately follow one another in timestamps,
> that is, does file2 start exactly where file1 stops? Is the merged pcap
> file about equal to size(file1) plus size(file2), or is it significantly
> Mit besten Grüßen
> Shane Castle
> On 09.06.2014 09:59, Jason wrote:
> > Has anyone here run into this problem before? It seems to be the same
> > for http.log files as well.
> > Thanks!
> > Jason
> > On Fri, Jun 6, 2014 at 8:34 AM, dn1nj4 <dn1nj4 at gmail.com
> > <mailto:dn1nj4 at gmail.com>> wrote:
> > Hello all,
> > I am batch processing some periodic PCAP files to extract SSL
> > certificates. I noticed if I do bro -r file1, followed by bro -r
> > file2, I end up with two ssl.log files totalling ~1500 lines.
> > However, if I mergecap file1 & file2 and run bro -r merged, my
> > ssl.log is ~7000 lines.
> > After searching the list archive and current bro docs, I thought
> > this might be a partial connection problem. So I tried a redef
> > partial_connection_ok = T; but that did not seem to have any effect.
> > Any insights into how I might fix the discrepancy would be greatly
> > appreciated.
> > Jason
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro