[Bro] bro protocol detection from pcap
Seth Hall
seth at icir.org
Thu Apr 19 05:55:09 PDT 2012
On Apr 19, 2012, at 7:13 AM, Oguz Yarimtepe wrote:
> One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.
Your tracefile has bad checksums. Either fix the checksums or use the -C command line flag to ignore checksums.
> # bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
You can leave out most of this command line. This should work fine:
bro -r 213.pcap
BroControl runs with all of those extra args to add various functionality that you don't need to worry about when you're just looking to analyze a tracefile.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list