[Bro] how to merge rx and tx from different pcaps / slightly off-topic
franky.meier.1 at gmx.de
Thu Sep 10 00:58:45 PDT 2015
On Mi, Sep 9, 2015 at 6:16 , Matthias Vallentin <vallentin at icir.org>
>> It looks like Bro not seeing the data in the correct order. But
>> from what I
>> read in mergecap source in merge_read_packet() this should work as
>> "Read the next packet, in chronological order, from the set of
>> files to be
> You could give this a shot:
> ipsumdump --collate -r *.pcap -w merged.pcap
> Unlike mergecap, ipsumdump does not assume packets are sorted within
thanks, this is an idea, but with my first run of mergecap I made sure,
the order is correct. (verfied with capinfos -o).
Beside from that it looks better now: Only 3300 lines of weird.log with
115000 in conn.log.
I will investigate further, if the data in the pcaps is wrong or if bro
is to blame.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro