[Bro] Bro on other Packet Trace Dumps.
Dana Zhang
berry1.0 at gmail.com
Mon Mar 28 00:35:10 PST 2005
hi Chris,
> i'm not sure, but i think that tcpdump is the only format at the moment which
> can be read by bro.
> what format do you have? maybe there is a converter around...
>
The current format of my data is just packet headers in binary. I
tried to convert to tcpdump format myself. can I confirm that tcpdump
format for tcp commections is:
src > dst: flags data-seqno ack window urgent options
i'm only working with tcp packets.
a couple of examples of my packets are as follows
10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442 win 8623
10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack 20496183 win 8474
10.0.0.67.4945 > 10.0.0.66.80: S 2222637079:2222637079(0) win 32696 urg 0
10.0.0.11.26159 > 10.0.0.12.25: . 868560419:868561879(1460) ack
1691568355 win 61320
However, when I run this file with bro using
> bro -r dumpfile brolite
I receive the error problem with trace file dumpfile - bad dump file format.
Is there something I missed?
Cheers,
Dana
More information about the Bro
mailing list