[Bro] how to merge rx and tx from different pcaps / slightly off-topic
franky.meier.1 at gmx.de
Wed Sep 9 07:04:34 PDT 2015
Sorry if this is off-topic, but I hope to find the right audience here.
I want to create bro-logs of around 900 Gb of data in 20.000 pcaps.
Capturing was done on different interfaces for upstream and downstream
Because of the large number of files I cannot merge them in one step
("to many open files"),
so I merged them to one pcap per day with mergecap. After that Bro is
called like this:
# mergecap -F pcap -w - *.pcap | bro -r - foo.bro
redef bits_per_uids = 128;
redef ignore_checksums = T;
redef Log::default_rotation_interval = 1day;
No real service logs are written, except for a weird.log full of:
It looks like Bro not seeing the data in the correct order. But from
what I read in mergecap
source in merge_read_packet() this should work as intended: "Read the
in chronological order, from the set of files to be merged."
I am thankful for any ideas.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro