[Bro] scan.bro and missing log entries
Vern Paxson
vern at icir.org
Thu Dec 2 10:09:41 PST 2010
> Any suggestions on how to grab a trace of these events? They are fairly
> random and infrequent.
The usual way is to run bro with -w trace to generate a trace file of the
traffic it analyzes. I sometimes run with (separate) full packet recording
using tcpdump, because -w files don't always include everything Bro captured
(there are mechanisms to not record some packets to it in an attempt to
save space).
As you note, the Time Machine is another possibility.
Finally, Justin's observation about UDP is a good one. What flags and
analyzer scripts are you using when running Bro?
Vern
More information about the Bro
mailing list