[Bro] bro and flow splitting
Christian Kreibich
christian at whoop.org
Mon Feb 20 08:53:38 PST 2006
On Mon, 2006-02-20 at 10:22 +0100, Manuel Crotti wrote:
> Hi all,
> Bro can extract flow informations from a dumpfile (I use it with mt
> option).
> I would split the entire dump in parts, one for each flow included in
> the dump.
> Is it possible with the sole bro?
Manuel, the demux.bro policy can write the application-layer *contents*
of individual flows to separate output files:
http://www.bro-ids.org/Bro-reference-manual/demux-Analysis-Script.html
If you want to demux the flows' individual *packets*, then check out
Netdude's command-line demux plugin. It can demux input traces on per-
flow, per-{src,dst}-port, and per-{src,dest}-port+host granularity:
http://sourceforge.net/project/showfiles.php?group_id=22071&package_id=108810&release_id=232168
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list