[Bro] processing many files with bro

Veronica Estrada estrada.veronica at gmail.com
Thu Mar 11 03:01:47 PST 2010


Sorry, I couldn't make it work.

ipsumdump --collate -w *.pcap | $BROHOME/bin/bro -r - brolite mysite
/usr/local/bro-1.5-dep/bin/bro: problem with trace file - - truncated dump
file; tried to read 24 file header bytes, only got 0

Veronica

On Thu, Mar 11, 2010 at 3:14 AM, Matthias Vallentin <vallentin at icir.org>wrote:

> On Wed, Mar 10, 2010 at 08:30:56AM -0800, Robin Sommer wrote:
> > That's probably the best solution and you can do it on the fly: have
> > your merge tool (e.g., tcpslice) write to stdout and Bro read from
> > stdin with "-r -". The effect on memory will indeed be that of one
> > large pcap file but if that causes trouble, you should to tweak the
> > Bro configuration.
>
> Yet another tool:
>
> % ipsumdump --collate -w - *.pcap | bro -r - http-request etc
>
> The switch --collate ensures monotone timestamps.
>
>   Matthias
> --
> Matthias Vallentin
> vallentin at icir.org
> http://www.icir.org/matthias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100311/5c90ca57/attachment.html 


More information about the Bro mailing list