Randy,<br><br>Maybe this is easy way to get raw trace -<br><br><a href="http://geek00l.blogspot.com/2006/12/bro-ids-enable-full-content-data.html">http://geek00l.blogspot.com/2006/12/bro-ids-enable-full-content-data.html</a>
<br><br>If you are really looking at ring buffer, daemonlogger will do. <br><br clear="all">If you are encountering any issue with bro in certain timeline and say you want to extract the data from that period, you can do the job with tcpslice. 
<br><br>Cheers ;]<br><br>-- <br>Best Regards,<br><br>CS Lee&lt;geek00L[at]gmail.com&gt;<br><br><a href="http://geek00l.blogspot.com">http://geek00l.blogspot.com</a>