[Bro] Problem reading pcap file
anthony.kasza at gmail.com
Sun Oct 19 20:43:52 PDT 2014
Are you willing to share a sample pcap that causes these errors?
On Oct 19, 2014 7:27 PM, "Vladimir Arseniev" <vladimira at vfemail.net> wrote:
> While this is fundamentally an old question, the old answers aren't
> working for me. Using "bro -r", I get the classic "invalid UDP
> checksums" error. Using "bro -rC" (or "bro -r -C"), I get numerous
> errors about unrecognized characters (even with the "-r" flag).
> Using "bro -Cr" (or "bro -C -r"), I get no shell errors. However, I see
> just 13 packets in "conn.log" vs 24311 packets expected. Perhaps this is
> the new piece of my question (plus why "-rC" <> "-Cr").
> How do I fix this?
> Some details might be useful. I compiled from bro-2.3.1.tar.gz in Debian
> 7.6 x64. I'm working with a 32MB capture from a Centos 6.5 VPS. I used
> dumpcap with a ring buffer:
> dumpcap -b filesize:102400 -b files:10 -i eth0 -w /home/user/eth0
> I used Wireshark to restrict eth0_00001_20141014111022 to IPv4, yielding
> eth0_00001_20141014111022_IPv4. Then I used "editcap -F libpcap" to
> convert to eth0_00001_20141014111022_IPv4.pcap (hereinafter "eth0.pcap").
> I get no joy reading eth0.pcap with bro:
> bro -r eth0.pcap
> 1413340801.822519 warning in
> /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line
> 54: Your trace file likely has invalid UDP checksums, most likely from
> NIC checksum offloading.
> bro -rC eth0.pcap
> error in ./eth0.pcap, line 1: unrecognized character -
> error in ./eth0.pcap, line 1: unknown identifier t, at or near "t"
> bro -Cr eth0.pcap
> [completes without errors, but conn.log is just 2.4KB]
> cat conn.log
> [see expected headers, but just 13 data lines]
> #close 2014-10-19-20-26-47
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro