[Bro] Is it possible to export pcap for a given event / connection?

Doug Burks doug.burks at gmail.com
Thu Sep 24 03:29:15 PDT 2015

Hi Dirk,

Here's what we do in Security Onion [1]:

- Bro logs go into ELSA [2]

- for most Bro logs, you can use ELSA's getPcap plugin to pivot to CapMe [3]

- CapMe will then search the full packet capture store provided by
netsniff-ng [4] and provide you with an ASCII rendering of the stream
or the raw pcap itself

For more information and a screenshot of this in action, please see [5].

Hope that helps!

[1] - http://securityonion.net
[2] - https://github.com/mcholste/elsa
[3] - https://github.com/int13h/capme
[4] - http://netsniff-ng.org/
[5] - http://taosecurity.blogspot.com/2013/01/security-onion-elsa-or-snorby-capme.html

On Wed, Sep 23, 2015 at 12:56 PM, Dirk Leinenbach
<dirk at dirkleinenbach.de> wrote:
> Hi there,
> does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
> Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
> One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
> Thanks for your help,
> Dirk
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Doug Burks
Need Security Onion Training or Commercial Support?

More information about the Bro mailing list