[Bro] bro protocol detection from pcap

Seth Hall seth at icir.org
Thu Apr 19 05:55:09 PDT 2012


On Apr 19, 2012, at 7:13 AM, Oguz Yarimtepe wrote:

> One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.

Your tracefile has bad checksums.  Either fix the checksums or use the -C command line flag to ignore checksums.

> # bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap

You can leave out most of this command line.  This should work fine:

bro -r 213.pcap 

BroControl runs with all of those extra args to add various functionality that you don't need to worry about when you're just looking to analyze a tracefile.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list