[Bro] Monitoring a directory and running bro on the PCAPs

Azoff, Justin S jazoff at illinois.edu
Fri Sep 30 20:15:22 PDT 2016

> On Sep 30, 2016, at 5:25 PM, Johanna Amann <johanna at icir.org> wrote:
> Hi,
> unless you have a way to replay the data to an interface that Bro can
> listen on (either by duplicating the traffic, or by using something like
> tcpreplay), I am not really aware of a good solution.
> Johanna

Hmm, it probably wouldn't be that hard to write a 'pcapdir' pkt source for bro.  Basically it would just need to:

while(!terminating) {
    pcap_files = all .pcap files in SOURCE_DIR
    sort pcap_files by oldest # hopefully there is only one file
    for each pcap file {
        open and process packets into bro
        delete pcap  #or move to a DONE_DIR/.
    if no files in pcap_files 

You'd just need the other tool to hardlink or move the pcaps into the SOURCE_DIR as they are done being written to.

This would also fix the tcp session issues.

- Justin Azoff

More information about the Bro mailing list