[Bro] Is it possible to export pcap for a given event / connection?
doug.burks at gmail.com
Thu Sep 24 03:29:15 PDT 2015
Here's what we do in Security Onion :
- Bro logs go into ELSA 
- for most Bro logs, you can use ELSA's getPcap plugin to pivot to CapMe 
- CapMe will then search the full packet capture store provided by
netsniff-ng  and provide you with an ASCII rendering of the stream
or the raw pcap itself
For more information and a screenshot of this in action, please see .
Hope that helps!
 - http://securityonion.net
 - https://github.com/mcholste/elsa
 - https://github.com/int13h/capme
 - http://netsniff-ng.org/
 - http://taosecurity.blogspot.com/2013/01/security-onion-elsa-or-snorby-capme.html
On Wed, Sep 23, 2015 at 12:56 PM, Dirk Leinenbach
<dirk at dirkleinenbach.de> wrote:
> Hi there,
> does bro provide some mechanism to find the packets that are related to (have caused) a given event or connection?
> Background: I'd like to be able to export pcap files in some situations for specific events; in that context I'm still able to get to the connection object, but I'd like to be able to see the original data as well for further analysis with Wireshark.
> One possibility would be to reconstruct filters from the event to filter the original trace retrospectively. But I'm wondering if there is a more direct way to identify / extract the relevant packets.
> Thanks for your help,
> Bro mailing list
> bro at bro-ids.org
Need Security Onion Training or Commercial Support?
More information about the Bro