[Bro] Capturing the raw trace...
Matt Cuttler
mcuttler at bnl.gov
Wed Oct 10 13:07:05 PDT 2007
Randolph Reitz wrote:
> OK, so I understand that to really debug BRO one needs tcpdump stuff
> rather than BRO's connection records.
>
> Discussing how to get a continuous supply of tcpdump stuff, Tim Rupp
> and I have come up this this idea ...
>
>
> Before we go off and invent the above, I'm asking if this already
> exists? Does BRO have some secret way of preserving the libpcap
> output (er, the BRO input)?
>
> Thanks,
> Randy
>
If you're looking to write pcaps out to disk, you can use something like
Time Machine (1), or Daemonlogger (2)
1: http://www.net.t-labs.tu-berlin.de/research/tm/
2: http://www.snort.org/users/roesch/Site/Daemonlogger.html
If you're interested, we can discuss off-list :)
-Matt Cuttler
More information about the Bro
mailing list