[Bro] Bro traffic logging

Robin Sommer robin at icir.org
Sat Jul 1 10:36:31 PDT 2006


On Thu, Jun 29, 2006 at 01:17 -0700, Lee Sheng wrote:

> Is there a way when bro logs the suspicious traffics
> in pcap format but with separated files.

There's no out-of-the-box solution for this but Bro provides the
functions dump_packet(pkt: pcap_packet, file_name: string) and
get_current_packet() which can be used to achieve this. However, due
to the packets being passed to the script-layer this with is most
suitable for capturing a few selected packets, not a large bunch of
them.

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICIR/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list