[Bro] Partial tcpdump traces
vern at cs.berkeley.edu
vern at cs.berkeley.edu
Mon Apr 21 19:25:00 PDT 2008
> I have a trickier question than last time. I am inputting into Bro partial
> tcpdump traces (by using the -s option in tcpdump - I am now getting only
> the first 100 bytes of a packet instead of the full packet).
You can force more analysis by running with bro -C to disable checksum
validation. However, you'll only get very limited analysis out of the
system, since it's designed to operate on full payloads.
Vern
More information about the Bro
mailing list