[Bro] Capturing the raw trace...
Tim Rupp
tarupp at fnal.gov
Wed Oct 10 12:13:53 PDT 2007
Found it in tcpdump. Looks like it's not in the recent stable tarballs
though; I needed to compile from CVS.
Use the -G flag with an appropriate -w flag
for example, to create a new dump file every 10 seconds:
tcpdump -G 10 -i eth0 -w "%Y-%m-%d_%H:%M:%S"
will create files that look like
2007-10-10_14:10:14
2007-10-10_14:10:24
2007-10-10_14:10:34
2007-10-10_14:10:44
2007-10-10_14:10:54
Note that the time interval to -G isn't 100% accurate, but it's close
enough.
So LBL needs to push out 3.9 so that the world can rejoice in -G : )
Thanks,
-Tim
Randolph Reitz wrote:
> OK, so I understand that to really debug BRO one needs tcpdump stuff
> rather than BRO's connection records.
>
> Discussing how to get a continuous supply of tcpdump stuff, Tim Rupp and
> I have come up this this idea ...
>
>
> ------------------------------------------------------------------------
>
> Before we go off and invent the above, I'm asking if this already
> exists? Does BRO have some secret way of preserving the libpcap output
> (er, the BRO input)?
>
> Thanks,
> Randy
>
More information about the Bro
mailing list