[Bro] Problem reading pcap file
vladimira at vfemail.net
Sun Oct 19 21:53:57 PDT 2014
On 10/19/2014 11:43 PM, anthony kasza wrote:
> Are you willing to share a sample pcap that causes these errors?
Thank you. That was the perfect answer, because it led me to excerpt one
conversation with a nonsensitive host. And reading that yielded a
"conn.log" with just one line. [zap!]
It's classic PEBKAC ;) Conversations <> packets.
There are _only 13_ conversations in that capture. It's a bandwidth
test, and ten of them are http with resp_bytes=1520560.
Excuse: I've been reading about both Bro and Splunk, and got confused.
> On Oct 19, 2014 7:27 PM, "Vladimir Arseniev" <vladimira at vfemail.net> wrote:
>> While this is fundamentally an old question, the old answers aren't
>> working for me. Using "bro -r", I get the classic "invalid UDP
>> checksums" error. Using "bro -rC" (or "bro -r -C"), I get numerous
>> errors about unrecognized characters (even with the "-r" flag).
>> Using "bro -Cr" (or "bro -C -r"), I get no shell errors. However, I see
>> just 13 packets in "conn.log" vs 24311 packets expected. Perhaps this is
>> the new piece of my question (plus why "-rC" <> "-Cr").
>> How do I fix this?
>> Some details might be useful. I compiled from bro-2.3.1.tar.gz in Debian
>> 7.6 x64. I'm working with a 32MB capture from a Centos 6.5 VPS. I used
>> dumpcap with a ring buffer:
>> dumpcap -b filesize:102400 -b files:10 -i eth0 -w /home/user/eth0
>> I used Wireshark to restrict eth0_00001_20141014111022 to IPv4, yielding
>> eth0_00001_20141014111022_IPv4. Then I used "editcap -F libpcap" to
>> convert to eth0_00001_20141014111022_IPv4.pcap (hereinafter "eth0.pcap").
>> I get no joy reading eth0.pcap with bro:
>> bro -r eth0.pcap
>> 1413340801.822519 warning in
>> /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line
>> 54: Your trace file likely has invalid UDP checksums, most likely from
>> NIC checksum offloading.
>> bro -rC eth0.pcap
>> error in ./eth0.pcap, line 1: unrecognized character -
>> error in ./eth0.pcap, line 1: unknown identifier t, at or near "t"
>> bro -Cr eth0.pcap
>> [completes without errors, but conn.log is just 2.4KB]
>> cat conn.log
>> [see expected headers, but just 13 data lines]
>> #close 2014-10-19-20-26-47
>> Bro mailing list
>> bro at bro-ids.org
More information about the Bro