[Bro] Reassembling packets during inspection
Peter Erickson
redlamb19 at gmail.com
Sat Aug 7 18:10:03 PDT 2010
Is it possible to reassemble TCP and UDP streams while Bro inspects a
captured tracefile from a different machine? I have several pcap files
that contain approx 6 hrs worth of traffic. I would like to have Bro
analyze the data, but I also need the streams (both tcp and udp)
reassembled and stored on the hard drive for use with custom python
scripts. I've noticed that the contents.bro script will reassemble TCP
streams, but it doesn't appear to assemble UDP as well.
Any help with this would be greatly appreciated. I have read through
the quick start, wiki, and list archives with no luck. I am new to Bro
so sorry if this is a basic question.
Thanks in advance... I'm running Bro 1.5
--
Peter Erickson
redlamb19 _at_ gmail _dot_ com
More information about the Bro
mailing list