[Bro] Bro on other Packet Trace Dumps.
Christoph Göldi
goeldich at ee.ethz.ch
Mon Mar 28 01:52:44 PST 2005
hi dana
> are you saying that when this is run:
>>> bro -r dumpfile brolite
> dumpfile is a binary file?
yes it is!
> I thought bro took a tcpdump file and
> tcpdump outputs files in the format of :
> src > dst: flags data-seqno ack window urgent options
no. tcpdump files are in a binary format. but when you make it visible
with the tcpdump command it looks like what you said.
> my packets were captured using a DAG2 system. traces are in DAG
> format, which is a fixed 64 bytes record format with 40 bytes of IP
> header. I extracted from my binary to make it look like a tcpdump
> file.
what an exotic format!
please, go to http://dag.cs.waikato.ac.nz/, then enter the download section
and get the dag-tools. install it and use the dagbpf command.
i didn't check this out, i only made the internet searches for you...
what i tell you are basics. maybe you have to read first a bit before come
and ask again.
have fun
christoph
> On Mon, 28 Mar 2005 10:49:01 +0200, Christoph Göldi <goeldich at ee.ethz.ch>
> wrote:
>> hi dana
>>
>> tcpdump is also a binary format.
>> how did you catch your dump?
>> i mean when you catch it with tcpdump you get exactly what you described:
>> packet headers in binary.
>>
>> cheers
>> christoph
>>
>> --On Montag, 28. März 2005 18:35 +1000 Dana Zhang <berry1.0 at gmail.com>
>> wrote:
>>
>> > hi Chris,
>> >
>> >> i'm not sure, but i think that tcpdump is the only format at the
>> >> moment which can be read by bro.
>> >> what format do you have? maybe there is a converter around...
>> >>
>> >
>> > The current format of my data is just packet headers in binary. I
>> > tried to convert to tcpdump format myself. can I confirm that tcpdump
>> > format for tcp commections is:
>> > src > dst: flags data-seqno ack window urgent options
>> >
>> > i'm only working with tcp packets.
>> > a couple of examples of my packets are as follows
>> > 10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442
>> > win 8623 10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack
>> > 20496183 win 8474 10.0.0.67.4945 > 10.0.0.66.80: S
>> > 2222637079:2222637079(0) win 32696 urg 0 10.0.0.11.26159 >
>> > 10.0.0.12.25: . 868560419:868561879(1460) ack
>> > 1691568355 win 61320
>> >
>> > However, when I run this file with bro using
>> >> bro -r dumpfile brolite
>> > I receive the error problem with trace file dumpfile - bad dump file
>> > format.
>> >
>> > Is there something I missed?
>> > Cheers,
>> > Dana
>>
>>
More information about the Bro
mailing list