[Bro] About Bro and splitting of the tcpdump trace

Ruoming Pang rpang at cs.princeton.edu
Mon Sep 26 10:04:59 PDT 2005


> I want to find a tool to split the captured trace (using tcpdump tool) 
> into two parts: the normal sub-trace and the abnormal one which 
> compising of network attacks detected, can the Bro do ? If not, any 
> suggestion is perferred.

I can answer part of the question. Suppose you want to split a trace 
into two sets of connections, A and B. If you can write a Bro policy 
script to determine for each connection whether it belongs to A or B, 
you can instruct Bro to write packets to an output trace on 
connection-by-connection basis. The function to call is:

# Dump original packets on the connection up to this point to the
# output trace, if any.
function dump_packets_of_connection%(c: connection%): any

Ruoming




More information about the Bro mailing list