[Bro] Bro as a fancy pcap filter
Robin Sommer
robin at icir.org
Mon Nov 21 19:04:46 PST 2005
On Mon, Nov 21, 2005 at 21:15 -0500, Ruoming Pang wrote:
> And you can imagine calling dump_packets_of_connection() in all kinds
> of other events.
Alternatively, and more fine-grained, there is
global dump_current_packet: function(file_name: string): bool;
which can be called at any time and, well, dumps the current packet
into the given file. If the file already exists, the packet is
appended. If you always dump into the same file, Bro is smart enough
to keep it open all the time.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list