[Bro] Bro traffic logging
Robin Sommer
robin at icir.org
Sat Jul 1 10:36:31 PDT 2006
On Thu, Jun 29, 2006 at 01:17 -0700, Lee Sheng wrote:
> Is there a way when bro logs the suspicious traffics
> in pcap format but with separated files.
There's no out-of-the-box solution for this but Bro provides the
functions dump_packet(pkt: pcap_packet, file_name: string) and
get_current_packet() which can be used to achieve this. However, due
to the packets being passed to the script-layer this with is most
suitable for capturing a few selected packets, not a large bunch of
them.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list