> Yet another tool: > > % ipsumdump --collate -w - *.pcap | bro -r - http-request etc > > The switch --collate ensures monotone timestamps. Yeah, indeed that's a bit better than tcpslice, because ipsumdump will correctly collate traces that overlap in time, while IIRC tcpslice won't. Vern