[Bro] generating bro report from packet capture

Jean-Philippe Luiggi jp.luiggi at free.fr
Thu Aug 16 21:00:14 PDT 2007 

Hello,

The message is saying that Bro is unable to find something to said regarding
the time range. It uses the date taken from the pcap's file and so the various logs.

The script "site-report.pl" uses (by default) :

+-+-+
$DEFAULT_CONFIG->{'report-range'} = 24;
$DEFAULT_CONFIG->{'report-start'} = 'yesterday';
+-+-+

So if you run the report more than 24 hours after the date of the
data captured, it seems to be normal to have nothing reported (but i may be
wrong).

A possible workaround is to use the options given by the script :

+-+-+
Options passed to the program on the command line
Command line reference
--report-range|-r   Length of time (in hours) from report-start to report
                    on. This will be overridden by report-end if
                    specified.
		    (default: 24)
--report-start|-s   The start time of the data to report on. See date format
                    below.  Values of yesterday and today are also
                    understood and default to to a start time of 00:30 hours
		    (default: yesterday)
--report-end|-e     The end time of the data to report on.
		    This will override report-range if specified.
							 
( Examples:   2004-12-26T01:23:00, accurate to seconds field
              2004-12-26, Is the same as 2004-12-26T00:00:00
	      2004-12-26T13, Is the same as 2004-12-26T13:00:00 )
+-+-+

Best regards,

Jean-philippe.


On Thu, Aug 16, 2007 at 05:56:18PM +0800, mel wrote:
> Hi,
> 
> I want to generate bro reports from tcpdump packet capture files. Those 
> files were captured from different networks. So:
> 
> bro -r file.pcap will generate generate log files:
> 
> alarm.log
> conn.log
> notice.log
> weird.log
> 
> When I run site-report.pl, I get
> 
> No connection data found for the time period specified.
> Unable to create a report.
> 
> What does this error mean? Note that the packet capture files maybe 
> several days old.
> 
> --mel
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list