[Bro] getting first results
Robin Sommer
robin at icir.org
Wed Jul 29 11:04:50 PDT 2009
On Tue, Jul 28, 2009 at 11:11 -0700, you wrote:
> I am trying to get my first results with BRO. I am just running
> mt.bro on an existing tcpdump file (containing some DNS data). My
> exact command is "bin/bro -r dns.cap share/bro/mt.bro"
Note that mt is not loading dns.bro, which is the main DNS analysis
script. Try "bro -r dns.cap mt dns". Without dns.bro, Bro will not
look at DNS packets at all as they won't pass the packet filter,
which is also why you aren't seeing much activity at all.
(dns-lookup.bro tracks Bro's *own* DNS queries but nothing else).
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list