[Bro] Using Bro IDS in offline analysis

[Vern Paxson]

>     bro -f 'ip' -C -r your.pcap brolite
> 
> will run 'your.pcap' through bro while loading the brolite policy(which loads most things)

Yep.  A minor nit: you shouldn't need "-f ip", as analysis scripts generally
include a tcpdump filter for the packets of interest; and you shouldn't
need -C *unless* the capture has bad checksums (which is usually not the
case, but can be for systems that are recording their own traffic, for
example).

		Vern