(1) Can you read the trace successfully using tcpdump? (2) If so, what's the shortest subset of it that causes Bro to crash? You can generate short subsets using tcpdump -c <pkt-cnt> to extract just the first <pkt-cnt> packets. (3) (And if you can't read it with tcpdump, then the problem is elsewhere ...) Vern