[Bro] broctl write output pcap

Johanna Amann johanna at icir.org
Wed Apr 5 09:46:07 PDT 2017


in theory, you can pass arbitrary flags to Bro when it is called by
broctl, by setting BroArgs in broctl.cfg (see

Note that writing pcap files with Bro has a few problems at the moment (I
think); I think it might corrupt packages under some circumstances. It
certainly is not a widely used feature and receives no testing at all.


On Wed, Mar 15, 2017 at 12:00:35PM +0200, Alex Kefallonitis wrote:
> I know that i can run bro -i eth0 -w .pcap . Is there a way broctl to also
> write to pcap file?

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list