[Bro] Is it possible to export pcap for a given event / connection?

Hosom, Stephen M hosom at battelle.org
Wed Sep 23 10:27:37 PDT 2015


Bro doesn't really have a good way to export packet captures. 

You would be best off running something like time machine or stenographer (both open source packet capture projects) and then using Bro to export the small pcap related to the connection you want. If you'd like some pointers on how to do that, let me know. I've got some similar stuff going on in my environment. 



-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Dirk Leinenbach
Sent: Wednesday, September 23, 2015 12:56 PM
To: bro at bro.org
Subject: [Bro] Is it possible to export pcap for a given event / connection?

Hi there,

does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?

Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.

One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.

Thanks for your help,


Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list