[Bro] Bro DPD (Beginner)
Seth Hall
seth at icir.org
Fri Apr 13 08:39:21 PDT 2012
On Apr 13, 2012, at 11:13 AM, zubair rafique wrote:
> I am using the following command line option:
> sudo /usr/local/bro/bin/bro -f tcp -r mytrace.pcap /usr/local/bro/share/bro/base/frameworks/dpd/main.bro
> There is no dpd log file generated by bro.
> What I am missing here?.
Do you have a conn.log or http.log? conn.log will indicate which analyzer(s) successfully analyzed a connection and http.log will show the information from the log. dpd.log is mostly used for debugging when and why DPD failed. No failure, no log (failure includes the client or server not abiding the protocol).
You also don't need to include "-f tcp" in your filter. Bro has a wide open filter which lets everything in by default now. You also don't need to load that script. You could condense your entire command line to "bro -r mytrace.pcap"
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list