[Bro] processing many files with bro
Matthias Vallentin
vallentin at ICSI.Berkeley.EDU
Wed Mar 10 11:21:38 PST 2010
On Wed, Mar 10, 2010 at 08:30:56AM -0800, Robin Sommer wrote:
> That's probably the best solution and you can do it on the fly: have
> your merge tool (e.g., tcpslice) write to stdout and Bro read from
> stdin with "-r -". The effect on memory will indeed be that of one
> large pcap file but if that causes trouble, you should to tweak the
> Bro configuration.
Yet another tool:
% ipsumdump --collate -w - *.pcap | bro -r - http-request etc
The switch --collate ensures monotone timestamps.
Matthias
--
Matthias Vallentin
vallentin at icir.org
http://www.icir.org/matthias
More information about the Bro
mailing list