[Bro] Bro on other Packet Trace Dumps.
Dana Zhang
berry1.0 at gmail.com
Tue Apr 5 01:32:46 PDT 2005
Woops. I'll CC it now
On Apr 5, 2005 6:26 PM, Jonathan Paisley <jp-www at dcs.gla.ac.uk> wrote:
> On 5 Apr 2005, at 9:11, Dana Zhang wrote:
>
> > Can I assume that dagconvert comes with endace and I can not actually
> > download it from the web anywhere? I did not capture the packets
> > myself so I not actually have an Endace monitoring card.
>
> Ah, you're right. dagconvert is part of the dag driver package, which
> is only available with the card.
>
> > I downloaded dagtools from http://dag.cs.waikato.ac.nz/ (thanks
> > christoph) and used dagbpf to convert form my format to tcpdump.
> > Unfortunately I am still unable to run bro. Bro gives me this error:
> >
> > bro: problem with trace file 19991120-124258-0TCP - unknown data link
> > type 0xb
>
> I suspect dagbpf only works with old-format DAG trace files, and as a
> result is producing nonsense pcap files.
>
> Recent versions of ethereal support reading ERF format traces. As a
> result, you can use the command line 'tethereal' to convert:
>
> $ tethereal -r dagtrace -w pcaptrace
>
> It's not very fast, however.
>
> If it's okay with you, please CC- any replies back to the bro list so
> this can go in the archives.
>
> Thanks.
>
>
More information about the Bro
mailing list