[Bro] broctl reading from pcap files

Victor-Alexandru Truica vat at mnworks.dk
Mon Sep 15 04:02:20 PDT 2014


I'm using BRO in Security Onion and I need to test the traffic captured 
from a deployment in a test environment. Instead of monitoring an 
interface, i want to read from a directory containing pcap files (and/or 
a large pcap file). SO uses broctl in its scripts to start/manage BRO 
but I don't know if there is an argument to add in any of broctl config 
files (node.cfg, broctl.cfg) that will make BRO read from PCAP files.

I've also looked into BROs cli and if I were to use this it would be a 
problem because of the way logs are being stored in SO - in timestamped 
folders and a "current" folder.

My questions are:
- can broctl read from PCAP files?
- can i use BROs cli to save the log files in a SO fashion (timestamped 
directories and others) without additional bash?


Victor-Alexandru Truica
Product Architect
MN Works ApS - www.mnworks.dk
Telephone (DK) : +45 50 36 93 72
Blog/Website : http://truica-victor.com
E-Mail : vat at mnworks.dk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140915/6cebc01d/attachment.html 

More information about the Bro mailing list