[Bro] Differences in processing multiple traces with BRO and ipsumdump

Veronica Estrada estrada.veronica at gmail.com
Mon Jul 12 09:46:21 PDT 2010


Dear Jim/Vern,

Sorry for the delayed answer.  I found that ipsumdump has problems with some
specific files no matter the number of pcap files, but, of course using a
large amount of input files increase the possibilities of having problems (
unfortunately I cannot figure out the reason). I tried to use tcpslice
instead, but my server crash twice apparently due to tcpslice trying to
merge 300 files.
I couldn't test it again to avoid problems.
Any help is welcome, but it doesn't seem timestamp order is the problem for
my case.
My goal is to provide BRO with enough input data for recognizing complete
connections, detect protocols and avoid any weird activity due cause by
split connections among several pcap files.

Thank you,

Veronica Estrada
Nakao Laboratory - Network Systems Research Group
University of Tokyo



> I used to use ipsumdump to stitch together multiple pcap files into one,
> but
> have found on occasion that it doesn't always output in timestamp sorted
> order.
>  Don't have a testcase right now, but IIRC, it occurred if using a large
> number
> of files.
>
> Consequently, I wrote a little utility 'tcpsort', which although it has its
> deficiencies (in memory sort of timestamps which restricts total size of
> input
> files, and two passes thru the input files)  works for the purpose of
> stitching
> multiple pcap files together in timestamp sorted order.  I can post if if
> there's interest.
>
>
>
> --
> Jim Mellander
> Lawrence Berkeley National Laboratory
> (510) 486-7204
>
> The reason you are having computer problems is:
>
> knot in cables caused data stream to become twisted and kinked
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/75858c06/attachment.html 


More information about the Bro mailing list