[Bro] I want to capture certain traffic using input framework

Jan Grashoefer jan.grashofer at cern.ch
Sun Sep 20 06:25:00 PDT 2015


> FYI: I can use BPF (bro -f file.log), but in this case the issue is that
> bro has to be restart many times since the file keep adding new IPs so that
> the file.log is to be updated. I also find exclude filter function but that
> exclude, I want to include certain traffic to captured.

you can use the packet filter framework (see
to install your filter live.


More information about the Bro mailing list