[Bro] Is it possible to export pcap for a given event / connection?
daniel.guerra69 at gmail.com
Wed Sep 23 15:35:19 PDT 2015
There is way to extract the application layer.
> On 23 Sep 2015, at 18:56, Dirk Leinenbach <dirk at dirkleinenbach.de> wrote:
> Hi there,
> does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
> Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
> One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
> Thanks for your help,
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro